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ABSTRACT 


The National Institute of Standards and Technology (NIST) Modes of Operation Validation 
System (MOVS) specifies the procedures involved in validating implementations of the DBS 
algorithm in FIPS PUB 46-2 The Data Encryption Standard (DES) and the Skipjack algorithm in 
FIPS PUB 185, Escrowed Encryption Standard (ESS). The MOVS is designed to perform 
automated testing on Implementations Under Test (lUTs). This publication provides brief 
overviews of the DES and Skipjack algorithms and introduces the basic design and configuration 
of the MOVS. Included in this overview are the specifications for the two categories of tests 
which make up the MOVS, i.e., the Known Answer tests and the Modes tests. The requirements 
and administrative procedures to be followed by those seeking formal NIST validation of an 
implementation of the DES or Skipjack algorithm are presented. The requirements described 
include the specific protocols for communication between the lUT and the MOVS, the types of 
tests which the lUT must pass for formal NIST validation, and general instructions for accessing 
and interfacing with the MOVS. An appendix with tables of values and results for the DES and 
Skipjack Known Answer tests is also provided. 

Key words: automated testing, computer security, cryptographic algorithms, cryptography. Data 
Encryption Standard (DES), Federal Information Processing Standard (FIPS), NVEAP, Skipjack 
algorithm, secret key cryptography, validation. 

1. INTRODUCTION 


1.1 Background 

This publication specifies the various tests required to validate implementations under test (lUTs) 
for conformance to the DES and Skipjack algorithms. When applied to lUTs of the DES 
algorithm, the Modes of Operation Validation System (MOVS) provides conformance testing for 
the various components of the algorithm, as well as testing for apparent operational errors. The 
MOVS is also used to test for apparent operational errors in lUTs of the Skipjack algorithm. 

The MOVS is composed of two types of validation tests, the Known Answer tests and the Modes 
tests. Both of these are based on validation tests described in SP500-20, Validating the 
Correctness of Hardware Implementations of the NBS Data Encryption Standard. As SP500- 
20's title implies, the validation tests were written to validate hardware implementations of the 
DES algorithm. SP800-17 expands on this by specifying how to validate implementations of the 
DES algorithm in software, firmware, hardware, or any combination thereof. The document also 
addresses implementations of the Skipjack algorithm, which must be implemented in electronic 
devices (e.g., very large scale integration chips). The Known Answer tests and Modes tests are 
based on the standard DES test set and the Monte-Carlo tests respectively, as specified in SP500- 
20. 
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To perform the Known Answer tests, the MOVS supplies known values to the lUT. The lUT 
then processes the input through the implemented algorithm, and the results are compared to 
expected values. When applied to lUTs of the DBS algorithm, the Known Answer tests verify 
that the lUT correctly implements the components of the algorithm (e.g., S boxes,...). When 
applied to lUTs of the Skipjack algorithm, these same tests verify that the implemented algorithm 
produces the correct results, i.e., given known input, the correct results are produced. 

Since the test set used for the Known Answer tests is public knowledge, another type of 
validation test has been designed to use pseudo-random data. This test is the Modes test. The 
Modes test verifies that the lUT has not been designed just to pass the Known Answer tests. A 
successful series of Modes tests gives some assurance that an anomalous combination of inputs 
does not exist that would cause the test to end abnormally for reasons not directly related to the 
implementation of the algorithm. An additional purpose of the Modes test is to verify that no 
undesirable condition within the lUT will cause the key or plaintext to be exposed due to an 
implementation or operational error. The Modes test is not a reliability test, but merely checks for 
the presence of an apparent operational error. 


1.2 Organization 

Section 2 gives a brief overview of the DBS and Skipjack algorithms and the four modes of 
operation allowed by both of these algorithms. Section 3 provides an overview of the tests which 
make up the Modes of Operation Validation System (MOVS) for the DBS and Skipjack 
algorithms. Section 4 describes the basic protocol used by the MOVS. Section 5 provides a 
detailed explanation of each test required by the MOVS to validate an lUT of the DBS and 
Skipjack algorithms. Section 6 outlines the design of the MOVS. Appendix A provides an 
example of round outputs for the DBS, and Appendix B provides tables of values for the Known 
Answer tests for both the DBS and Skipjack algorithms. These tables include Table 1 - Resulting 
Ciphertext from the Variable Plaintext Known Answer Test for DBS, Table 2 - Resulting 
Ciphertext from the Variable Key Known Answer Test for DBS, Table 3 - Values to be Used for 
the Permutation Operation Known Answer Test, Table 4 - Values to be Used for the Substitution 
Tables Known Answer Test, Table 5 - Resulting Ciphertext from the Variable Plaintext Known 
Answer Test for Skipjack, and Table 6 - Resulting Ciphertext from the Variable Key Known 
Answer Test for Skipjack. 
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2. PRIVATE KEY ALGORITHMS 


2.1 Data Encryption Standard (DES) (FIPS PUB 46-2) 

FIPS PUB 46-2, The Data Encryption Standard (DES), published on December 30, 1993, is a 
cryptographic algorithm which has been standardized for use within the Federal Government for 
protecting the transmission and storage of unclassified computer data. DES is a FIPS approved 
cryptographic algorithm as required by FIPS 140-1, Security Requirements for Cryptographic 
Modules, January 11, 1994. 

The DES algorithm is a recirculating, 64-bit, block product cipher whose security is based on a 
secret key. The DES keys are 64-bit binary vectors consisting of 56 information bits and 8 parity 
bits. The parity bits are reserved for error detection purposes and are not used by the encryption 
algorithm. The 56 information bits are used by the enciphering and deciphering operations and 
are referred to as the active key. 

In the enciphering computation, a block to be enciphered is subjected to an initial permutation 
(IP), then to a complex key-dependent computation and finally to a permutation which is the 
inverse of the initial permutation (IP '). The key-dependent computation can be defined in terms 
of a function f, called the cipher function, and a function KS, called the key schedule. The 
function f involves E operators, substitution tables (S-boxes), and permutations (P). The 64 bit 
input block is divided into two halves, each consisting of 32 bits. One half is used as input to the 
function/, and the result is exclusive ORed to the other half. After one iteration, or round, the 
two halves of data are swapped, and the operation is performed again. The DES algorithm uses 
16 rounds to produce a recirculating block product cipher. The cipher produced by the algorithm 
displays no correlation to the input. Every bit of the output depends on every bit of the input and 
on every bit of the active key. An example of round-by-round encryption for a given key and 
plaintext is shown in Appendix A. 

Eor a thorough discussion of the DES algorithm and its components, consult EIPS PUB 46-2. 
Guidelines on the proper usage of the DES are published in EIPS PUB 74, Guidelines for 
Implementing and Using the NBS Data Encryption Standard. A brief description of the 
components of the DES algorithm follows. 
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2.1.1 The S-boxes 


The non-linear substitution tables, or S-boxes, constitute an important part of the algorithm. The 
purpose of the S-boxes is to ensure that the algorithm is not linear. There are eight different S- 
boxes. Figure 2.1 displays one of these. Each S-box contains 64 entries, organized as a 4x16 
matrix. Each entry is a four bit binary number, represented as 0-15. A particular entry in a single 
S-box is selected by six bits, two of which select a row and four select a column. The entry in the 
corresponding row and column is the output for that input. Each row in each S-box is a 
permutation of the numbers 0-15, so no entry is repeated in any one row. The output of the 
parallel connection of eight S-boxes is 32 bits. 
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Figure 2.1 One of the Eight S-Boxes in the DES 
2.1.2 The Key Schedule 

The key schedule provides a linear means of thoroughly intermixing the bits of the 56-bit key 
specified for use in the DES operation to form a different 48-bit key for each of the 16 rounds of 
the DES algorithm. This is done in the following manner: The key is subjected to a permuted 
choice 1 (PCI) where the bits of the key are reorganized. The permuted key is then divided into 
two parts denoted C; and Dj. These parts are shifted left a predetermined number of times 
producing and Dj^.!. The resulting values are subjected to a permuted choice 2 (PC2) which 
reorganizes the bits again, producing the round key To compute the next round key Ki^. 2 , 
Ci+i and Di ^.1 are shifted left a predetermined number of times. The resulting value is then 
subjected to PC2. This procedure is repeated to calculate the 16 round keys. 

Both the permutations in the key-schedule, PCI and PC2, intermix the key bits among the round 
keys in such a way as to equalize key-bit utilization. It does this by forcing each key bit to be 
used no more than 15 times and no less than 12 times. 

Eigure 2.2 shows how the key schedule determines the sixteen 48-bit round keys from the 56-bit 
encryption key. 
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Figure 2.2 The Key Schedule for the DES 


2.1.3 The Permutations and E Operator 

The role of the permutation P is to thoroughly mix the data bits so they cannot be traced back 
through the S-boxes. The initial and final permutations are byte oriented, and the data is output 
eight bits at a time. The operator E expands a 32 bit input to a 48 bit output that is added mod 
two to the round key. The permutations in the key-schedule, PCI and PC2, intermix the bits that 
result from the S-box substitution in a complex way to prevent bit tracing. 

Each permutation is a linear operator, and so can be thought of as an n x m matrix and can be 
validated completely if it operates correctly on an appropriate maximal linearly independent set of 
input vectors, i.e., a suitable basis. 


2.2 Skipjack Encryption Algorithm 

The Skipjack algorithm is a classified symmetric-key cryptographic algorithm designed by the 
National Security Agency (NSA). The specifications for the Skipjack algorithm are contained in 
the R21 Informal Technical Report entitled "SKIPJACK" (S), R21-TECH-044-91, May 21, 1991. 
Organizations holding an appropriate security clearance and entering into a Memorandum of 
Agreement with the National Security Agency regarding implementations of the standard will be 
provided access to the classified specifications. 

As discussed in EIPS PUB 185, Escrowed Encryption Standard (ESS), the Skipjack algorithm has 
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been approved for government applications requiring the encryption of sensitive but unclassified 
data telecommunications. The Skipjack algorithm is a 64-bit code book transformation that 
utilizes the same four DBS modes of operation as specified in FIPS PUB 81, DES Modes of 
Operation and FIPS PUB 74, Guidelines for Implementing and Using the NBS Data Encryption 
Standard. Skipjack uses an 80-bit encryption/decryption key (compared with a 56-bit key used 
by DES) and has 32 rounds of processing per single encrypt/decrypt operation (compared with 16 
rounds for the DES). Skipjack outputs 64 bits of output per round. 

The Skipjack algorithm may only be implemented in electronic devices (e.g., very large scale 
integration chips). The devices may be incorporated in security equipment used to encrypt (and 
decrypt) sensitive unclassified telecommunications data. 


2.3 The Four Modes of Operation 

The DES and Skipjack algorithms both utilize the same four modes of operation specified in FIPS 
PUB 81, DES Modes of Operation. These modes are the Electronic Codebook (ECB) Mode, the 
Cipher Block Chaining (CBC) Mode, the Cipher Feedback (CEB) Mode, and the Output 
Feedback (OFB) Mode. 
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2.3.1 Electronic Codebook (ECB) Mode 


ECB ENCRYPTION 


ECB DECRYPTION 




Figure 2.3 Electronic Codebook (ECB) Mode 


The Electronic Codebook (ECB) mode is shown in Eigure 2.3. In ECB encryption, a plaintext 
data block (Dj, D 2 , ..., 0 ^ 4 ) is used directly as the input block (Ij, I 2 ,..., 154 ). The input block is 
processed through the DES or Skipjack algorithm in the encrypt state. The resultant output block 
(Oi, 02 ,..., 064 ) is used directly as ciphertext (Cj, C 2 ,..., C 64 ). 

In ECB decryption, a ciphertext block (Cj, C 2 ,..., C 64 ) is used directly as the input block (Ij, 
I 2 ,...,l 64 ). The input block is then processed through the DES or Skipjack algorithm in the decrypt 
state. The resultant output block (Oj, 02 ,..., 064 ) produces the plaintext (Di,D 2 ,...,Dg 4 ). The ECB 
decryption process is the same as the ECB encryption process except that the decrypt state of the 
DES or Skipjack algorithm is used rather than the encrypt state. 
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2.3.2 Cipher Block Chaining (CBC) Mode 


NOTE: All variables are 64 bits in length. 



Figure 2.4 Cipher Block Chaining (CBC) Mode 


As shown in the upper half of Figure 2.4, the Cipher Block Chaining (CBC) mode begins 
processing by dividing a plaintext message into 64 bit data blocks. In CBC encryption, the first 
input block (Ij, I 2 ,...,l 64 ) is formed by exclusive-ORing the first plaintext data block (Dj, D 2 , ..., 
Dg 4 ) with a 64-bit initialization vector IV, i.e., (Ii,l 2 ,...,l 64 ) = (IVjeDi, IV 2 eD 2 ,... IVg 4 eDg 4 ). The 
input block is processed through the DBS or Skipjack algorithm in the encrypt state, and the 
resulting output block is used as the ciphertext, i.e., (Ci,C 2 ,...,C 64 ) = (0i,02,...,064). This first 
ciphertext block is then exclusive-ORed with the second plaintext data block to produce the 
second input block, i.e., (Ii,l 2 ,...,l 64 ) = (CieDi,C 2 eD 2 ,...,C 64 eDg 4 ). Note that I and D now refer to 
the second block. The second input block is processed through the DBS or Skipjack algorithm in 
the encrypt state to produce the second ciphertext block. This encryption process continues to 
"chain" successive cipher and plaintext blocks together until the last plaintext block in the message 
is encrypted. If the message does not consist of an integral number of data blocks, then the final 
partial data block should be encrypted in a manner specified for the application. One such method 
is described in Appendix C of TIPS PUB 81. 
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In CBC decryption (see the lower half of Figure 2.4), the first ciphertext block of an encrypted 
message is used as the input block and is processed through the DBS or Skipjack algorithm in the 
decrypt state, i.e., (Ii,l 2 ,...,l 64 ) = (Ci,C 2 ,...,C 64 ). The resulting output block, which equals the 
original input block to the algorithm during encryption, is exclusive-ORed with the IV (which 
must be the same as that used during encryption) to produce the first plaintext block, i.e., 
(Di,D 2 ,...,D 64 ) = (0ieIVi,02eIV2,...,064eIVg4). The second ciphertext block is then used as the 
next input block and is processed through the DBS or Skipjack algorithm in the decrypt state. 

The resulting output block is exclusive-ORed with the first ciphertext block to produce the 
second plaintext data block, i.e., (Di,D 2 ,...,Dg 4 ) = (OjeCi, 02002 ,..., 0540064 ). (Note D and O 
refer to the second block.) The OBO decryption process continues in this manner until the last 
complete ciphertext block has been decrypted. Oiphertext representing a partial data block must 
be decrypted in a manner as specified for the application. 
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2.3.3 Cipher Feedback (CFB) Mode 
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Figure 2.5 Cipher Feedback (CFB) Mode 


The Cipher Feedback (CFB) mode is shown in Figure 2.5. A message to be encrypted is divided 
into K-bit data units, where K may equal 1 through 64 inclusively (K = 1,2,...,64). In both the 
CFB encrypt and decrypt operations, an initialization vector (IV) of length L is used, where L 
may equal 1 through 64 inclusively (L=l,2,...,64). The IV is placed in the least significant bits of 
the input block with the unused bits set to "0", i.e., (Ii,l 2 ,...,l 64 ) = (0,0,...,0,IVi,IV2,...,IVl). This 
input block is processed through the DBS or Skipjack algorithm in the encrypt state to produce an 
output block. During encryption, ciphertext is produced by exclusive-ORing a K-bit plaintext 
data unit with the most significant K bits of the output block, i.e.,(Ci,C 2 ,...,CK) = (DjeOi, D2e02, 
... , Dj^eOj^). Similarly, during decryption, plaintext is produced by exclusive-ORing a K-bit unit 
of ciphertext with the most significant K bits of the output block, i.e., (D|,D 2 ,...,Dj^) = 
(Cie0i,C2e02,...,CK©0K). In both cases the unused bits of the output block are discarded. For 
both the encryption and decryption processes, the next input block is created by discarding the 
most significant K bits of the previous input block, shifting the remaining bits K positions to the 
left and then inserting the K bits of ciphertext just produced in the encryption operation or just 
used in the decryption operation into the least significant bit positions, i.e., (Ii,l 2 ,...,l 64 ) = (I[k+i]» 
I[k+ 2 ]’ ••• ’ l 64 ’Ci,C 2 , ...Ck). This input block is then processed through the DBS or Skipjack 
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algorithm in the encrypt state to produce the next output block. This process continues until the 
entire plaintext message has been encrypted or until the entire ciphertext message has been 
decrypted. For each operation of the DBS or Skipjack algorithm, one K-bit unit of plaintext 
produces one K-bit unit of ciphertext, and one K-bit unit of ciphertext produces one K-bit unit of 
plaintext. 
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2.3.4 Output Feedback (OFB) Mode 


ENCRYPTION DECRYPTION 



Figure 2.6 Output Feedback (OFB) Mode 


The Output Feedback (OFB) mode is shown in Figure 2.6. A message to be encrypted is divided 
into K-bit data units, where K may equal 1 through 64 inclusively, (K = 1,2,...,64). In both the 
OFB encrypt and decrypt operations, an initialization vector (IV) of length L is used, where L 
may equal 1 through 64 inclusively, (L=l,2,...,64). The IV is placed in the least significant bits of 
the input block with the unused bits set to "0", i.e., (Ii,l 2 ,...,l 64 ) = (0,0,...,0,IVi,IV2,...,IVl). This 
input block is processed through the DES or Skipjack algorithm in the encrypt state to produce an 
output block. During encryption, ciphertext is produced by exclusive-ORing a K-bit plaintext 
data unit with the most significant K bits of the output block, i.e., (Ci,C 2 ,...,Ck) = (DjeOj, 02002, 
...,Dj4©0k). Similarly, during decryption, plaintext is produced by exclusive-ORing a K-bit unit of 
ciphertext with the most significant K bits of the output block, i.e., (D|,D 2 ,...,Dk) = 
(Ci©0i,C2©02,...,Ck©0k). In both cases the next input block is assigned the value of the output 
block, i.e., (Ii,l 2 ,...,l 64 ) = ( 0 i, 02 , ..., 0 ^ 4 ). This input block is then processed through the DES or 
Skipjack algorithm in the encrypt state to produce the next output block. This process continues 
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until the entire plaintext message has been encrypted or until the entire ciphertext message has 
been decrypted. For each operation of the DBS or Skipjack algorithm, one K-bit unit of plaintext 
produces one K-bit unit of ciphertext or one K-bit unit of ciphertext produces one K-bit unit of 
plaintext. 

Note that, originally, FIPS 81 allowed less than 64 bits of feedback to be used. It was discovered 
that when this is done, there is a risk of generating short cycles. That is, when the same key is 
used, and multiple encryptions or decryptions have occurred, then the resulting output block may 
be equal to an input block from a previous iteration. If that occurs, then further encryption or 
decryption using the same key will result in a repetition of previously generated output and input 
blocks. This increases the risk of a cryptanalyst recovering the original plaintext. Because of this 
short cycle property, NIST does not support the use of the OFB mode for any amount of 
feedback less than 64 bits. Note that this short cycle property is not a problem with the DBS 
algorithm, and would occur using any block cipher in a similar manner. 
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3. MODES OF OPERATION VALIDATION SYSTEM FOR THE DES AND SKIPJACK 

ALGORITHMS 


The MOVS for the DES and Skipjack algorithms consists of two types of tests, the Known 
Answer tests and the Modes tests. The MOVS provides conformance testing for the individual 
components of an lUT of the DES algorithm and analyzes lUTs of the DES and Skipjack 
algorithms for apparent operational errors. Note that the individual components of an lUT of the 
Skipjack algorithm are not tested by the MOVS since Skipjack is classified. 

The lUTs of the DES algorithm may be written in software, firmware, hardware, or any 
combination thereof. The lUTs of the Skipjack algorithm must be implemented in electronic 
devices (e.g., very large scale integration chips). Eor the remainder of this document, the word 
implementation will reflect the definition pertaining to the algorithm being discussed. 

An lUT must allow the MOVS to have control over the required input parameters for validation 
to be feasible. The ability to initialize or load known values to the variables required by a specific 
test may exist at the device level or the chip level in an lUT. If an lUT does not allow the MOVS 
to have control over the input parameter values, the MOVS tests cannot be performed. 

An lUT may implement encryption only, decryption only, or both encryption and decryption. 

This will determine which MOVS tests will be performed by an lUT. 

The following subsections provide an overview of the Known Answer tests and the Modes tests. 
Also discussed are the various tests required to validate lUTs of the DES and Skipjack 
algorithms. 


3.1 The Known Answer Tests 

The Known Answer tests are based on the standard DES test set discussed in SP500-20. When 
applied to lUTs of the DES algorithm, the Known Answer tests verify that the lUT correctly 
performs the algorithm. The tests also provide conformance testing for the following components 
of an lUT of the DES algorithm: the initial permutation IP, the inverse permutation IP ', the 
expansion matrix E, the data permutation P, the key permutations PCI and PC2, and the 
substitution tables Sj, S 2 ,...,S 8 . When applied to lUTs of the Skipjack algorithm, these same tests 
verify that the implemented algorithm produces the correct results, i.e., given known input, the 
correct results are produced. 

A generic overview of the sets of Known Answer tests required for the validation of lUTs 
implementing the encryption and/or decryption processes of all modes of operation for both the 
DES and Skipjack algorithms are discussed below. 
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3.1.1 The Encryption Process 

An lUT of the DES algorithm which allows encryption requires the successful completion of five 
Known Answer tests. These are the Variable Plaintext Known Answer test, the Inverse 
Permutation Known Answer test for the Encryption Process, the Variable Key Known Answer 
test for the Encryption Process, the Permutation Operation Known Answer test for the 
Encryption Process, and the Substitution Table Known Answer test for the Encryption Process. 
The Permutation Operation and the Substitution Table Known Answer tests do not apply to the 
Skipjack algorithm. Therefore, an lUT of the Skipjack algorithm which allows encryption 
requires only the successful completion of the Variable Plaintext Known Answer test, the Inverse 
Permutation Known Answer test for the Encryption Process, and the Variable Key Known 
Answer test for the Encryption Process. 

These Known Answer tests are also used in the testing of lUTs implementing the CEB and OEB 
modes of operation in the decryption process. The reason for this is that both of these modes 
utilize the encrypt state in the decryption process. 


3.1.1.1 The Variable Plaintext Known Answer Test 

To perform the Variable Plaintext Known Answer test, the MO VS supplies the lUT with initial 
values for the plaintext and, if applicable, the initialization vector. These values are dependent 
upon the mode of operation being implemented. The key should be initialized to zero. Each 
block of data input into the DES or Skipjack algorithm is represented as a 64-bit basis vector. By 
definition, a basis vector is a vector consisting of a "1" in the i* position and "0" in all of the other 
positions. The input block is processed through the algorithm in the encrypt state. The resulting 
output block is used in the calculation of the ciphertext which is then recorded. Each of the basis 
vectors is tested. At the completion of the 64* test, all results are verified for correctness. 

If correct results are obtained from an lUT of the DES algorithm, the Variable Plaintext Known 
Answer test has verified the initial permutation (IP) and the expansion matrix E by presenting a 
full set of basis vectors to the IP and to the E. If the results from each test of an lUT of the 
Skipjack algorithm match the expected results, the Skipjack algorithm has been verified. 


3.1.1.2 The Inverse Permutation Known Answer Test for the Encrypt State 

To perform the Inverse Permutation Known Answer test, the MO VS supplies the lUT with initial 
values for the plaintext and, if applicable, the initialization vector. The plaintext values are set to 
the ciphertext results obtained from the Variable Plaintext Known Answer test. 
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The key being used by this test is called a self dual key. A self dual key is a key with the property 
that when you encrypt twice with this key the result is the initial input. Therefore, it is l ik e 
encrypting and decrypting with the same key. The key should be initialized to zero, the same 
value used in the Variable Plaintext Known Answer test. 

The input block is processed through the algorithm in the encrypt state. The resulting output 
block is used in the calculation of the ciphertext which is then recorded. The ciphertext should be 
the same as the plaintext used as input to the Variable Plaintext Known Answer test. At the 
completion of the 64* test, all results are verified for correctness. 

This test, when applied to an lUT of the DBS algorithm, verifies the inverse permutation (IP ') by 
presenting each basis vector to the IP ' as the basis vectors are recovered. If the results from each 
test of an lUT of the Skipjack algorithm match the expected results, the Skipjack algorithm has 
been verified. 


3.1.1.3 The Variable Key Known Answer Test for the Encryption Process 

To implement the Variable Key Known Answer test for the Encryption Process, the MOVS 
supplies the lUT with initial values for the key, the plaintext, and, if applicable, the initialization 
vector. During the initialization process, the plaintext and the initialization vector are set to zero. 
The key is initialized to an n-bit vector, where n is 56 if DES is being implemented, and 80 if 
Skipjack is being implemented. This vector will contain a "1" in the i"’ significant position and 
"0"s is all remaining significant positions of a key where i = 1 to n. (Note that the parity bits are 
not counted in the significant bits. These parity bits may be "l"s or "0"s to maintain odd parity.) 
An input block is then formed according to the mode of the algorithm being implemented, and 
encrypted. The resulting output block is used in the calculation of the ciphertext which is 
recorded for later comparison. This test is repeated n times, allowing for every possible vector to 
be tested. At the completion of the n* test, all results are verified for correctness. 

When this test is performed for an lUT of the DES algorithm, the 56 possible basis vectors which 
yield unique keys are presented to PCI verifying the key permutation, PCI. Since the key 
schedule consists of left shifts, as i ranges over the index set, a complete set of basis vectors is 
presented to PC2 as well, so this is verified. If the results from each test of an lUT of the 
Skipjack algorithm match the expected results, the Skipjack algorithm has been verified. 


3.1.1.4 The Permutation Operation Known Answer Test for the Encryption Process 

The Permutation Operation Known Answer test for the Encryption Process only applies to lUTs 
of the DES algorithm. To implement this test, the MOVS supplies the lUT with initial values for 
the key, the plaintext and, if applicable, the initialization vector, with the plaintext and 
initialization vector being set to zero. Based on the mode of operation of DES implemented, an 
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input block is formed and encrypted. The resulting output block is used in the calculation of the 
ciphertext which is recorded for later comparison. This test is repeated 32 times, allowing for 32 
given values to be tested. At the completion of the 32"‘* test, all results are verified for 
correctness. 

This test presents a complete set of basis vectors to the permutation operator P. By doing so, P is 
verified. 


3.1.1.5 The Substitution Table Known Answer Test for the Encryption Process 

The Substitution Table Known Answer test for the Encryption Process only applies to lUTs of 
the DES algorithm. The MO VS supplies the lUT with initial values for the key, the plaintext and, 
if applicable, the initialization vector which is initialized to zero. Based on the mode of operation 
of DES implemented, an input block is formed and encrypted. The resulting output block is used 
in the calculation of the ciphertext which is recorded for later comparison. This test is repeated 
19 times in order to process a set of 19 key-data pairs. At the completion of the 19* test, all 
results are verified for correctness. 

The set of 19 key-data pairs used in this test result in every entry of all eight S-box substitution 
tables being used at least once. Thus, this test verifies the eight substitution tables of 64 entries 
each. 


17 



3.1.2 The Decryption Process 


The five Known Answer tests required for validation of lUTs implementing the decryption 
process of the DBS or Skipjack algorithms consist of the Variable Ciphertext Known Answer test, 
the Initial Permutation Known Answer test for the Decryption Process, the Variable Key Known 
Answer test for the Decryption Process, the Permutation Operation Known Answer test for the 
Decryption Process and the Substitution Table Known Answer test for the Decryption Process. 
These tests can only be performed by lUTs that support the Electronic Codebook (ECB) and the 
Cipher Block Chaining (CBC) modes of operation since only these modes of operation utilize the 
decrypt state during the decryption process. The CEB and OEB modes of operation utilize the 
encrypt state in the decryption process and therefore should be tested using the same Known 
Answer tests used for lUTs that support the encryption process. Only the Variable Ciphertext 
Known Answer test, the Initial Permutation Known Answer test for the Decryption Process, and 
the Variable Key Known Answer test for the Decryption Process apply to the Skipjack algorithm. 


3.1.2.1 The Variable Ciphertext Known Answer Test 

To perform the Variable Ciphertext Known Answer test, the values of the ciphertext, the key, 
and, if applicable, the initialization vector are initialized, with the key and the initialization vector 
being initialized to zero. If the lUT performs both encryption and decryption, the values resulting 
from the encryption performed in the Variable Plaintext Known Answer test will be used to 
initialize the ciphertext. Otherwise, the MO VS will supply the lUT with the ciphertext values. 

The value of the ciphertext is used directly as the input block of data. The input block is 
processed through the algorithm in the decrypt state, resulting in an output block. The output 
block is used in the calculation of the plaintext which is then recorded. This test is repeated for 
64 cycles and should result in a set of 64 different basis vectors. Eor lUTs of the DBS algorithm, 
this test verifies the inverse permutation IP ' by presenting the basis vectors to the IP ' as they are 
recovered. 

If the Skipjack algorithm is implemented and the lUT produces correct results (i.e., the basis 
vectors are recovered), this test ends successfully. 


3.1.2.2 The Initial Permutation Known Answer Test for the Decryption Process 

To perform the Initial Permutation Known Answer test for the Decryption Process, the values of 
the ciphertext are set to the resulting plaintext values obtained from the Variable Ciphertext 
Known Answer test. The key, and, if applicable, the initialization vector are set to the same 
values used in the Variable Ciphertext Known Answer test, i.e., they are set to zero. 

The value of the ciphertext is used directly as the input block of data. The input block is 
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processed through the algorithm in the decrypt state, resulting in an output block. The output 
block is used in the calculation of the plaintext which is then recorded. This test is repeated for 
64 cycles and should result in the set of ciphertext values used as input to the Variable Ciphertext 
Known Answer test. 

For lUTs of the DBS algorithm, the initial permutation IP and the expansion matrix E are verified 
by presenting the full set of basis vectors to both of them. 

If the Skipjack algorithm is implemented and the lUT produces correct results (i.e., the basis 
vectors are recovered), this test ends successfully. 


3.1.2.3 The Variable Key Known Answer Test for the Decryption Process 

To implement the Variable Key Known Answer test for the Decryption Process, the values of the 
ciphertext, key, and, if applicable, the initialization vector are initialized. The ciphertext is 
initialized in one of two ways. If the lUT performs both encryption and decryption, the values 
resulting from the encryption performed in the Variable Key Known Answer test for the 
Encryption Process will be used to initialize the ciphertext. Otherwise, the lUT will obtain the 
ciphertext values from the MOVS. The IV is set to zero. The key is initialized to an n-bit vector, 
where n is 56 if DBS is being implemented and 80 if Skipjack is being implemented. This vector 
will contain a "1" in the i* significant position and "0"s is all remaining significant positions of a 
key where i = 1 to n. (Note that the parity bits are not counted in the significant bits. These 
parity bits may be "l"s or "0"s to maintain odd parity.) 

The value of the ciphertext is used directly as the input block of data. The input block is 
processed through the algorithm in the decrypt state. According to the mode of operation 
supported by the lUT, the resulting output block is used in the calculation of the plaintext which 
is recorded for later comparison. This test is repeated n times allowing for every possible vector 
to be tested. At the completion of the n* test, all results are verified against known values for 
correctness. If the results are correct for an lUT of the DBS algorithm, it can be assumed that 
this test verifies the right shifts in the key schedule as the basis vectors are recovered. 

If the results from each test of an lUT of the Skipjack algorithm match the expected results, the 
Skipjack algorithm has been verified. 


3.1.2.4 The Permutation Operation Known Answer Test for the Decryption Process 

The Permutation Operation Known Answer test for the Decryption Process only applies to lUTs 
of the DES algorithm. To implement this test, values for the key and ciphertext are supplied in 
one of two ways. If the lUT performs both encryption and decryption, values for the key and 
ciphertext resulting from the encryption performed in the Permutation Operation Known Answer 
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test for the Encryption Process will be used. Otherwise, the key and ciphertext values will be 
supplied by the MOVS. If applicable, the initialization vector will be set to zero. 

The value of the ciphertext is used directly as the input block of data. The input block is 
processed through the algorithm in the decrypt state. According to the mode of operation 
supported by the lUT, the resulting output block is used in the calculation of the plaintext which 
is recorded for later comparison. This test is repeated 32 times allowing for the 32 key-ciphertext 
values to be tested. At completion, the results of each of the 32 tests is verified to be zero. 

The 32 key values used in this test present a complete set of basis vectors to the permutation 
operator P. By doing so, P is verified. 


3.1.2.5 The Substitution Table Known Answer Test for the Decryption Process 

The Substitution Table Known Answer test for the Decryption Process only applies to lUTs of 
the DES algorithm. To implement this test, values for the key and ciphertext are supplied in one 
of two ways. If the lUT performs both encryption and decryption, the values for the key and 
ciphertext resulting from the encryption performed in the Substitution Table Known Answer test 
for the Encryption Process will be used. Otherwise, the key and ciphertext values will be supplied 
by the MOVS. If applicable, the initialization vector will be set to zero. 

The value of the ciphertext is used directly as the input block of data. This input block is 
processed through the algorithm in the decrypt state. Based on the mode of operation 
implemented by the lUT, the resulting output block is used in the calculation of the plaintext 
which is recorded for later comparison. This test is repeated 19 times in order to process the set 
of 19 key-data pairs that result in every entry of all eight substitution tables being used at least 
once. At the completion of the 19* test, all results are verified for correctness. If the lUT 
produces correct results, the eight S-box substitution tables of 64 entries each have been verified. 


3.2 The Modes Test 

The Modes test is the second type of validation test required to validate lUTs of the DES and 
Skipjack algorithms. The Modes test is based on the Monte-Carlo test discussed in SP500-20. 
They are designed to use pseudo-random data to verify that the lUT has not been designed just to 
pass the Known Answer tests. A successful series of Modes tests gives some assurance that an 
anomalous combination of inputs does not exist that would cause the test to end abnormally for 
reasons not directly related to the implementation of the algorithm. An additional purpose of the 
Modes test is to verify that no undesirable condition within the lUT will cause the key or plaintext 
to be exposed due to an implementation error. This test also checks for the presence of an 
apparent operational error. 
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The MOVS supplies the lUT with initial input values for the key, the plaintext (or ciphertext), 
and, if applicable, an initialization vector. The Modes test is then performed (as described in the 
following paragraph) and the resulting ciphertext (or plaintext) values are recorded and compared 
to known results. If an error is detected, the erroneous result is recorded, and the test terminates 
abnormally. Otherwise, the test continues. If the lUT's results are correct, the Modes test for the 
lUT ends successfully. 

Each Modes test consists of four million cycles through the DES or Skipjack algorithm 
implemented in the lUT. These cycles are divided into four hundred groups of 10,000 iterations 
each. Each iteration consists of processing an input block through the DES or Skipjack algorithm 
resulting in an output block. At the 10,000* cycle in an iteration, new values are assigned to the 
variables needed for the next iteration. The results of each 10,000* encryption or decryption 
cycle are recorded and evaluated as specified in the preceding paragraph. 
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4. BASIC PROTOCOL 


4.1 Overview 

Input and output messages used to convey information between the MOVS and the lUT shall 
consist of specific fields. The format of these input and output messages is beyond the scope of 
this document and the testing laboratories have the option to determine the specific formats of 
those messages. However, the results sent to NIST must include certain minimum information, 
which is specified in Section 4.4 Output Types. 

A separate message shall be created for each mode of operation supported by an lUT. The 
information shall indicate the algorithm used (DBS or Skipjack), the mode of operation (ECB, 
CBC, CFB-including feedback amounts, or OFB), the state (encrypt and/or decrypt), the test 
being performed (one of the various Known Answer tests, or the Modes tests), and the required 
data fields. The required data may consist of counts, keys, initialization vectors, and data 
representing plaintext or ciphertext. Every field in an output message shall be clearly labeled to 
indicate its contents - this is especially important for NIST to be able to ensure that test results are 
complete. 

4.1.1 Conventions 

The following conventions shall be used in the data portion of messages between the MOVS and 
the lUT: 

1. Integers: integers shall be unsigned and shall be represented in decimal notation. 
(See Section 4.1.2 for these notations.) 

2. Hexadecimal strings: shall consist of ASCII hexadecimal characters. The ASCII 
hexadecimal characters to be used shall consist of the ASCII characters 0-9 and A- 
F (or a-f), which represent 4-bit binary values. 

3. Characters: the characters to be represented are A-Z (or a-z), 0-9, and underscore 
(_)• 


4.1.2 Message Data Types 

The following data types shall be used in messages between the MOVS and the lUT: 
1. Decimal integers: a decimal integer shall have the form 
ddd ... dd 
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where each'd' shall represent a decimal character (0-9); one or more characters 
shall be present. The characters must be contiguous. 

2. Hexadecimal strings: a hexadecimal string shall have the form 

hhh ... hh 

where each 'h' shall represent an ASCII character 0-9 or A-F (or a-f). Each 'h' 
shall represent a 4-bit binary value. 

3. Characters: an ASCII character shall have the form 

c 

where 'c' shall represent an ASCII character A-Z (or a-z), 0-9, and underscore (_). 


4.2 Message Contents 

The information included in a message shall consist of the following: 

Algorithm - selections shall consist of DES or Skipjack, 

Mode - selections shall consist of ECB, CBC, CEB-including feedback amounts, 
or OEB, 

Process - selections shall consist of ENCRYPT or DECRYPT, 

Test - selections shall consist of: 

VTEXT for Variable Plaintext/Ciphertext Known Answer test 
VKEY for Variable Key Known Answer test 
INVPERM for Inverse Permutation Known Answer test 
INITPERM for Initial Permutation Known Answer test 
PERM for Permutation Operation Known Answer test 
SUB for Substitution Table Known Answer test 
MODES for Modes test 

Input/Output Data 

The contents of the input/output data included in a message shall depend on the algorithm, mode, 
process, and test being performed. These different combinations of data have been organized into 
input types and output types. The input types shall be used by the MO VS to supply data to the 
lUT for testing. The output types shall be used by the lUT to supply results from the tests to the 
MOVS, and eventually to NIST. 
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4.3 Input Types 

Twelve different combinations of input data shall be used by the MOVS to support the various 
Known Answer tests and Modes tests . 


4.3.1 Input Type 1 

Input Type 1 shall consist of: 

KEY and DATA 

where KEY shall be represented as k bits in hexadecimal notation (i.e., 4 bits per 
hexadecimal character). If the lUT implements the DES algorithm, the KEY shall consist 
of 16 hexadecimal characters (i.e., 64 bits, k = 64). The 8 parity bits shall be present but 
ignored, yielding 56 significant bits. Eor consistency purposes, the DES key shall be 
presented in odd parity. If the lUT implements the Skipjack algorithm, the KEY shall 
consist of 20 hexadecimal characters (i.e. 80 bits, k = 80). Skipjack does not check parity, 
thus every bit in the key is significant; and 

DATA shall be a 16 character ASCII hexadecimal string representing plaintext if the 
encrypt process is being tested, or ciphertext if the decrypt process is being tested. 


4.3.2 Input Type 2 

Input Type 2 shall consist of: 

KEY,IV, and DATA 

where KEY shall be represented as k bits in hexadecimal notation (i.e., 4 bits per 
hexadecimal character). If the lUT implements the DES algorithm, the KEY shall consist 
of 16 hexadecimal characters (i.e., 64 bits, k = 64). The 8 parity bits shall be present but 
ignored, yielding 56 significant bits. Eor consistency purposes, the DES key shall be 
presented in odd parity. If the lUT implements the Skipjack algorithm, the KEY shall 
consist of 20 hexadecimal characters (i.e. 80 bits, k = 80). Skipjack does not check parity, 
thus every bit in the key is significant; 

IV shall be a 16 character ASCII hexadecimal string representing the 64-bit initialization 
vector; and 

DATA shall be 1 to 64 binary bits represented as a 16 character ASCII hexadecimal string 
representing plaintext if the encrypt process is being tested, or ciphertext if the decrypt 
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process is being tested. 


4.3.3 Input Type 3 

Input Type 3 shall consist of: 

KEY,n,CTi,CT2,...CT„ 

where KEY shall be represented as k bits in hexadecimal notation (i.e., 4 bits per 
hexadecimal character). If the lUT implements the DES algorithm, the KEY shall consist 
of 16 hexadecimal characters (i.e., 64 bits, k = 64). The 8 parity bits shall be present but 
ignored, yielding 56 significant bits. Eor consistency purposes, the DES key shall be 
presented in odd parity. If the lUT implements the Skipjack algorithm, the KEY shall 
consist of 20 hexadecimal characters (i.e. 80 bits, k = 80). Skipjack does not check parity, 
thus every bit in the key is significant; 

n is an integer which shall indicate the number of ciphertext (CT) values to follow; and 

each CT„ shall be 1 to 64 binary bits represented as a 16 character ASCII hexadecimal 
string. 

4.3.4 Input Type 4 

Input Type 4 shall consist of: 

KEY 

where KEY shall be represented as k bits in hexadecimal notation (i.e., 4 bits per 
hexadecimal character). If the lUT implements the DES algorithm, the KEY shall consist 
of 16 hexadecimal characters (i.e., 64 bits, k = 64). The 8 parity bits shall be present but 
ignored, yielding 56 significant bits. Eor consistency purposes, the DES key shall be 
presented in odd parity. If the lUT implements the Skipjack algorithm, the KEY shall 
consist of 20 hexadecimal characters (i.e. 80 bits, k = 80). Skipjack does not check parity, 
thus every bit in the key is significant. 


4.3.5 Input Type 5 

Input Type 5 shall consist of: 

KEY,IV,n,TEXTi,TEXT2,...TEXT„ 
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where KEY shall be represented as k bits in hexadecimal notation (i.e., 4 bits per 
hexadecimal character). If the lUT implements the DES algorithm, the KEY shall consist 
of 16 hexadecimal characters (i.e., 64 bits, k = 64). The 8 parity bits shall be present but 
ignored, yielding 56 significant bits. For consistency purposes, the DES key shall be 
presented in odd parity. If the lUT implements the Skipjack algorithm, the KEY shall 
consist of 20 hexadecimal characters (i.e. 80 bits, k = 80). Skipjack does not check parity, 
thus every bit in the key is significant; 

IV shall be a 16 character ASCII hexadecimal string representing the 64-bit initialization 
vector; 

n is an integer which shall indicate the number of TEXT values to follow; and 

each TEXT„ shall be 1 to 64 binary bits represented as a 16 character ASCII hexadecimal 
string. TEXT shall represent PT, CT, or RESULT. 

4.3.6 Input Type 6 

Input Type 6 shall consist of: 

KEY and IV 

where KEY shall be represented as k bits in hexadecimal notation (i.e., 4 bits per 
hexadecimal character). If the lUT implements the DES algorithm, the KEY shall consist 
of 16 hexadecimal characters (i.e., 64 bits, k = 64). The 8 parity bits shall be present but 
ignored, yielding 56 significant bits. For consistency purposes, the DES key shall be 
presented in odd parity. If the lUT implements the Skipjack algorithm, the KEY shall 
consist of 20 hexadecimal characters (i.e. 80 bits, k = 80). Skipjack does not check parity, 
thus every bit in the key is significant; and 

IV shall be a 16 character ASCII hexadecimal string representing the 64-bit initialization 
vector. 


4.3.7 Input Type 7 

Input Type 7 shall consist of 


PT,KEYi,KEY2,...KEY32 

where PT shall be 1 to 64 binary bits represented as a 16 character ASCII hexadecimal 
string; and 
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each KEY;, where i=l to 32, shall be represented as k bits in hexadecimal notation (i.e., 4 
bits per hexadecimal character). If the lUT implements the DES algorithm, the KEY shall 
consist of 16 hexadecimal characters (i.e., 64 bits, k = 64). The 8 parity bits shall be 
present but ignored, yielding 56 significant bits. Eor consistency purposes, the DES key 
shall be presented in odd parity. If the lUT implements the Skipjack algorithm, the KEY 
shall consist of 20 hexadecimal characters (i.e. 80 bits, k = 80). Skipjack does not check 
parity, thus every bit in the key is significant. 

4.3.8 Input Type 8 

Input Type 8 shall consist of: 

TEXT,IV,KEYi,KEY2,...KEY32 

where TEXT shall be 1 to 64 binary bits represented as a 16 character ASCII hexadecimal 
string. (NOTE: TEXT may be referred to as plaintext or text.); 

IV shall be a 16 character ASCII hexadecimal string representing the 64-bit initialization 
vector; and 

each KEY;, where i=l to 32, shall be represented as k bits in hexadecimal notation (i.e., 4 
bits per hexadecimal character). If the lUT implements the DES algorithm, the KEY shall 
consist of 16 hexadecimal characters (i.e., 64 bits, k = 64). The 8 parity bits shall be 
present but ignored, yielding 56 significant bits. Eor consistency purposes, the DES key 
shall be presented in odd parity. If the lUT implements the Skipjack algorithm, the KEY 
shall consist of 20 hexadecimal characters (i.e. 80 bits, k = 80). Skipjack does not check 
parity, thus every bit in the key is significant. 


4.3.9 Input Type 9 

Input Type 9 supplies n key/input block pairs. It shall consist of: 
n,PAIRi,PAIR2,...PAIR„ 

In this input type, the integer n shall indicate the number of KEY values to follow. Each 
PAIR; shall consist of: 

KEY; and TEXT; 

where each KEY,, where i=l to n, shall be represented as k bits in hexadecimal notation 
(i.e., 4 bits per hexadecimal character). If the lUT implements the DES algorithm, the 
KEY shall consist of 16 hexadecimal characters (i.e., 64 bits, k = 64). The 8 parity bits 
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shall be present but ignored, yielding 56 significant bits. For consistency purposes, the 
DBS key shall be presented in odd parity. If the lUT implements the Skipjack algorithm, 
the KEY shall consist of 20 hexadecimal characters (i.e. 80 bits, k = 80). Skipjack does 
not check parity, thus every bit in the key is significant; and 

each TEXT;, for / = 1 to n, shall be a 16 character ASCII hexadecimal string representing 
either plaintext or ciphertext. 


4.3.10 Input Type 10 

Input Type 10 shall consist of: 
n,KEYi,KEY2,...KEY„ 

where n is an integer which shall indicate the number of KEY values to follow; and 

each KEY;, where i=l to n, shall be represented as k bits in hexadecimal notation (i.e., 4 
bits per hexadecimal character). If the lUT implements the DBS algorithm, the KEY shall 
consist of 16 hexadecimal characters (i.e., 64 bits, k = 64). The 8 parity bits shall be 
present but ignored, yielding 56 significant bits. Eor consistency purposes, the DBS key 
shall be presented in odd parity. If the lUT implements the Skipjack algorithm, the KEY 
shall consist of 20 hexadecimal characters (i.e. 80 bits, k = 80). Skipjack does not check 
parity, thus every bit in the key is significant. 

4.3.11 Input Type 11 

Input Type 11 shall consist of: 

INITVAE,n,PAIRi,PAIR2,...PAIR„ 

where INITVAE shall be a 16 character ASCII hexadecimal string representing either the 
64 bit IV or the TEXT, depending on the mode of operation implemented by the lUT. 
(NOTE: The TEXT may be referred to as plaintext, ciphertext, or text.); 

n is an integer which shall indicate the number of KEY/INPUT PAIRs to follow. 

Each PAIR; shall consist of: 

KEY, and IB, 

where each KEY,, where i=l to n, shall be represented as k bits in hexadecimal notation 
(i.e., 4 bits per hexadecimal character). If the lUT implements the DBS algorithm, the 
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KEY shall consist of 16 hexadecimal characters (i.e., 64 bits, k = 64). The 8 parity bits 
shall be present but ignored, yielding 56 significant bits. For consistency purposes, the 
DES key shall be presented in odd parity. If the lUT implements the Skipjack algorithm, 
the KEY shall consist of 20 hexadecimal characters (i.e. 80 bits, k = 80). Skipjack does 
not check parity, thus every bit in the key is significant; and 

each IB; shall be a 16 character ASCII hexadecimal string representing either the 64 bit 
IV, PT or CT, depending on the mode of operation implemented. 


4.3.12 Input Type 12 

Input Type 12 shall consist of: 

INITVAL,n,KEYi ,KEY2,. . .KEY„ 

where INITVAL shall be a 16 character ASCII hexadecimal string representing either the 
64 bit IV or the 64 bit TEXT depending on the mode of operation implemented by the 
lUT. (NOTE: The TEXT may be referred to as ciphertext.); 

n is an integer which shall indicate the number of KEYS to follow; and 

each KEY;, where i=l to n, shall be represented as k bits in hexadecimal notation (i.e., 4 
bits per hexadecimal character). If the lUT implements the DES algorithm, the KEY shall 
consist of 16 hexadecimal characters (i.e., 64 bits, k = 64). The 8 parity bits shall be 
present but ignored, yielding 56 significant bits. For consistency purposes, the DES key 
shall be presented in odd parity. If the lUT implements the Skipjack algorithm, the KEY 
shall consist of 20 hexadecimal characters (i.e. 80 bits, k = 80). Skipjack does not check 
parity, thus every bit in the key is significant. 

4.4 Output Types 

Two different combinations of output data are used by the MOVS to support the various Known 
Answer tests and Modes tests. 

4.4.1 Output Type 1 

Output Type 1 shall consist of: 

COUNT,KEY,DATA, and RESULT 

where COUNT shall be an integer between 1 and 400, i.e., 0 < COUNT <= 400, 
representing the output line; 
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KEY shall be represented as k bits in hexadeeimal notation. If the lUT implements the 
DES algorithm, the KEY shall eonsist of 16 hexadeeimal eharaeters (i.e., 64 bits, k = 64). 
The parity bits shall be ignored, yielding 56 signifieant bits. For eonsisteney purposes, the 
DES key shall be displayed in odd parity. If the lUT implements the Skipjaek algorithm, 
the KEY shall eonsist of 20 hexadeeimal eharaeters (i.e. 80 bits, k = 80). Skipjaek does 
not eheek parity, thus every bit in the key is signifieant; 

DATA shall be a 16 eharaeter hexadeeimal string representing plaintext if the enerypt 
process is being tested or ciphertext if the decrypt process is being tested; and 

RESULT shall be a 16 character hexadecimal string indicating the resulting value. 
Depending on the process of the lUT being tested, the resulting value shall represent 
ciphertext (if encrypting) or plaintext (if decrypting). 

4.4.2 Output Type 2 

Output Type 2 shall consist of: 

COUNT,KEY,CV,DATA, and RESULT 

where COUNT shall be an integer between 1 and 400, i.e., 0 < COUNT <= 400, 
representing the output line; 

KEY shall be represented as k bits in hexadecimal notation. If the lUT implements the 
DES algorithm, the KEY shall consist of 16 hexadecimal characters (i.e., 64 bits, k = 64). 
The parity bits shall be ignored, yielding 56 significant bits. For consistency purposes, the 
DES key shall be displayed in odd parity. If the lUT implements the Skipjack algorithm, 
the KEY shall consist of 20 hexadecimal characters (i.e. 80 bits, k = 80). Skipjack does 
not check parity, thus every bit in the key is significant; 

CV shall be a 16 character ASCII hexadecimal string; 

DATA shall be a 16 character hexadecimal string representing plaintext if the encrypt 
process is being tested or ciphertext if the decrypt process is being tested.; and 

RESULT shall be a 16 character hexadecimal string indicating the resulting value. 
Depending on the process of the lUT being tested, the resulting value may be ciphertext 
(if encrypting) or plaintext (if decrypting). 
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5. TESTS REQUIRED TO VALIDATE AN IMPLEMENTATION OF THE DES OR 

SKIPJACK ALGORITHM 

The validation of lUTs of the DES and Skipjack algorithms shall require the successful 
completion of an applicable set of Known Answer tests and the successful completion of the 
appropriate Modes tests. The tests required for validation of an lUT shall be determined by 
several factors. These include the algorithm implemented (DES or Skipjack), the mode(s) of 
operation supported ( ECB, CBC, CEB, OEB), and the allowed cryptographic processes 
(encryption, decryption, both). 

A separate set of Known Answer tests has been designed for use with each of the four modes of 
DES and Skipjack. Within these sets of tests are separate subsets of tests corresponding to the 
encrypt and decrypt processes. If an lUT implements multiple modes of operation but does not 
implement the ECB mode, each supported mode of operation shall be tested. If an lUT 
implements multiple modes of operation which does include the ECB mode, the set of Known 
Answer tests corresponding to the implemented cryptographic state of the ECB mode of 
operation shall be the only set of Known Answer tests conducted. The reasoning behind this is 
that other modes of operation implemented should follow the same logic as that for the ECB 
mode of operation. 

The Modes tests have been designed for use with each of the four modes of DES and Skipjack. 
Eor the ECB, CBC, and CEB modes of operation, there are two tests associated with each: one to 
be used for lUTs allowing the encryption process and the other to be used for lUTs allowing the 
decryption process. If both the encryption and decryption processes are allowed by an lUT, both 
tests shall be required. The OEB mode of operation only requires one Modes test which is 
designed for use with both the encryption and decryption processes of an lUT. Eor example, if an 
lUT implements the CBC mode of operation in the encryption process only, the Modes test for 
the encryption process of the CBC mode of operation shall be successfully completed to validate 
the lUT. Eikewise, if an lUT implements both the encryption and decryption processes of the 
CEB mode of operation, both the Modes test for the CEB encryption process and the Modes test 
for the CEB decryption process shall be successfully completed to validate the lUT. If an lUT 
implements both the encryption and decryption processes of the OEB mode of operation, the 
Modes test for the OEB mode of operation shall be successfully completed to validate the lUT. 

If an lUT of the DES or Skipjack algorithm supports more than one mode of operation, the 
Modes test corresponding to each supported mode shall be performed successfully. Eor example, 
if an lUT implements the ECB and CBC modes of operation for the encryption process, the 
Modes test for the encryption process of the ECB mode of operation and the Modes test for the 
encryption process of the CBC mode of operation shall be successfully completed to validate the 
lUT. 
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The tests required to successfully validate lUTs of the DBS and Skipjack algorithms are detailed 
in the following sections. These sections are categorized by mode of operation. Within each 
mode of operation, the tests are divided into tests to use with the encryption process and tests to 
use with the decryption process. 
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5.1 Electronic Codebook (ECB) Mode 


The lUTs of the DES or Skipjack algorithm in the Electronic Codebook (ECB) mode shall be 
validated by the successful completion of a series of Known Answer tests and Modes tests 
corresponding to the cryptographic processes allowed by the lUT. 


5.1.1 Encryption Process 

The process of validating an lUT of the DES algorithm which implements the encryption process 
of the ECB mode of operation shall involve the successful completion of the following six tests: 

1. The Variable Plaintext Known Answer Test - ECB mode 

2. The Inverse Permutation Known Answer Test for the Encryption Process - ECB mode 

3. The Variable Key Known Answer Test for the Encryption Process - ECB mode 

4. The Permutation Operation Known Answer Test for the Encryption Process - ECB 
mode 

5. The Substitution Table Known Answer Test for the Encryption Process - ECB mode 

6 . The Modes Test for the Encryption Process - ECB mode 

The validation process for an lUT of the Skipjack algorithm which implements the encryption 
process of the ECB mode of operation shall require the successful completion of tests 1,2,3, and 6 
only. 

An explanation of the tests follows. 
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5.1.1.1 The Variable Plaintext Known Answer Test - ECB Mode 


MOVS; Initialize KEY; If DES, KEY=0101010101010101 (odd parity set) 

If Skipjack, KEY=00000000000000000000 
PT, = 8000000000000000 
Send KEY, PT) 

lUT; FOR i = 1 to 64 
{ 

IB, = PT, 

Perform algorithm in encrypt state, resulting in CTj 
Send i, KEY, PT„ CT, 

PTi^.] = basis vector where single "1" bit is in position I+l 


MOVS; Compare results from each loop with known answers 

If DES, use Appendix B, Table 1. If Skipjack, use Appendix B, Table 5. 


Figure 5.1 The Variable Plaintext Known Answer Test - ECB Mode 
Figure 5.1 illustrates the Variable Plaintext Known Answer test for the ECB mode of operation. 

1. The MOVS shall: 

a. Initialize the KEY parameter to the constant hexadecimal value 0. Eor lUTs of the 
DES algorithm, the KEY^^,; = 01 01 01 01 01 01 01 OE Note that the significant 
bits are set to "0" and the parity bits are set to "1" to make odd parity. 

Eor lUTs of the Skipjack algorithm, the KEY^^,; = 00 00 00 00 00 00 00 00 00 00. 

b. Initialize the 64 bit plaintext PT; to the basis vector containing a "1" in the first bit 
position and "0" in the following 63 positions, i.e., PT; ^in = 10000000 00000000 
00000000 00000000 00000000 00000000 00000000 00000000. The equivalent 
of this value in hexadecimal notation is 80 00 00 00 00 00 00 00. 

c. Eorward this information to the lUT using Input Type 1. 


2. The lUT shall perform the following for i=l through 64: 

a. Set the input block IB; equal to the value of PT;, i.e, (IB li,IB2i,...IB64i) = 
(PTl„PT2„...,PT64i). 
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b. Process IB; through the DBS or Skipjack algorithm in the encrypt state, resulting 
in ciphertext CTj. 

c. Forward the current values of the loop number i, KEY, PTj, and the resulting CT; 
to the MOVS as specified in Output Type 1. 

d. Retain CT; for use with the Inverse Permutation Known Answer test for the ECB 
Mode (Section 5.1.1.2), and, if the lUT supports the decryption process, for use 
with the Variable Ciphertext Known Answer test for the ECB Mode (Section 

5.1.2.1). 

e. Assign a new value to PTi^.i by setting it equal to the value of a basis vector with a 
"1" bit in position i+1, where i+l=2..64. 

NOTE: This continues until every possible basis vector has been represented by the PT, 
i.e. 64 times. The output from the lUT shall consist of 64 output strings. Each output 
string shall consist of information included in Output Type 1. 

3. The MOVS shall check the lUT's output for correctness by comparing the received results 
to known values found in Appendix B, Table 1 for DBS or Table 5 for Skipjack. 
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5.1.1.2 The Inverse Permutation Known Answer Test - ECB Mode 


MOVS; Initialize KEY; If DES, KEY=0101010101010101 (odd parity set) 

If Skipjack, KEY=00000000000000000000 
PTj (where i=l-64) = 64 CT values from the Variable Plaintext Known 
Answer test 

Send KEY, 64, PIj ... PT 64 

lUT; EOR i = 1 to 64 
{ 

IB, = PT, 

Perform algorithm in encrypt state, resulting in CTj 
Send i, KEY, PT„ CT, 

PTi^., = corresponding PTi^.; from MOVS 


MOVS; Compare results from each loop with known answers. 
Should be the set of basis vectors. 


Figure 5.2 The Inverse Permutation Known Answer Test - ECB Mode 
Figure 5.2 illustrates the Inverse Permutation Known Answer test for the ECB mode of operation. 
1. The MOVS shall: 

a. Initialize the KEY parameter to the constant hexadecimal value 0. Eor lUTs of the 
DES algorithm, the KEY^^,; = 01 01 01 01 01 01 01 01. Note that the significant 
bits are set to "0" and the parity bits are set to "1" to make odd parity. 

Eor lUTs of the Skipjack algorithm, the KEY^^,; = 00 00 00 00 00 00 00 00 00 00. 

b. Initialize the 64 bit plaintext values PT; (where i=l- 64) to the CT; results obtained 
from the Variable Plaintext Known Answer test. 

c. Eorward this information to the lUT using Input Type 3. 


2. The lUT shall perform the following for i=l through 64: 

a. Set the input block IB; equal to the value of PTj, i.e, (IB Ii,IB2i,...IB64i) = 
(PTl„PT2i,...,PT64i). 
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b. Process IB; through the DBS or Skipjack algorithm in the encrypt state, resulting 
in ciphertext CTj. 

c. Forward the current values of the loop number i, KEY, PTj, and the resulting CT; 
to the MOVS as specified in Output Type 1. 

d. Assign a new value to PT^^.^ by setting it equal to the corresponding output from 
the Variable Plaintext Known Answer test for the ECB mode. 

NOTE: The output from the lUT shall consist of 64 output strings. Each output string 
shall consist of information included in Output Type 1. 

The MOVS shall check the lUT's output for correctness by comparing the received results 
to known values. The CT values should be the set of basis vectors. 



5.1.1.3 The Variable Key Known Answer Test for the Encryption Process - ECB Mode 


MOVS; Initialize KEY,; If DES, KEY, = 8001010101010101 (with odd parity) 

If Skipjack, KEY, = 80000000000000000000 
PT=0000000000000000 
Send KEY,, PT 

lUT: EOR i= 1 to «, where « = 64 if DES, 80 if Skipjack 

{ 

IE (algorithm == SKIPJACK) {process every bit} 

OR 

(algorithm == DES AND I %8 != 0) 

(process every bit except parity bits} 

I 

IB, = PT 

Perform algorithm in encrypt state using KEY,, resulting in CT, 
Send i, KEY,, PT, CT, 

KEY,,., = vector consisting of "0" in every significant bit position 
except for a single "1" bit in position i+1. Each parity bit may have 
the value "1" or "0" to make the KEY odd parity. 

I 

} 

MOVS; Compare results of the n encryptions with known answers 

Eor DES, use Appendix B, Table 2. For Skipjack, use Appendix B, Table 6. 


Figure 5.3 The Variable Key Known Answer Test for the Encryption Process- ECB 
Mode 

As summarized in Figure 5.3, the Variable Key Known Answer test for the ECB Eneryption 
Proeess shall be performed as follows: 

1. The MOVS shall: 

a. Initialize the KEY, to contain "0" in every significant bit except for a "1" in the 
first position. Eor example, if validating an lUT of the DES algorithm, the 64 bit 
KEY,b,n = 10000000 00000001 00000001 00000001 00000001 00000001 
00000001 00000001. The equivalent of this value in hexadecimal notation is 80 
01 01 01 01 01 01 01. Note that the parity bits are set to "0" or "1" to get odd 
parity. 

If validating an lUT of the Skipjack algorithm, the 80 bit KEY, ^in = 10000000 
00000000 00000000 00000000 00000000 00000000 00000000 00000000 
00000000 00000000. The equivalent of this value in hexadecimal notation is 80 
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00 00 00 00 00 00 00 00 00 . 


b. Initialize the 64 bit plaintext PT to the value of 0, i.e., PT,,g^=00 00 00 00 00 00 00 

00 . 

c. Forward this information to the lUT using Input Type 1. 

2. The lUT shall perform the following for i= 1 to n: (NOTE: n equals the number of 
significant bits in a DES or Skipjack key.) 

a. Set the input block IB; equal to the value of PT, i.e, (IB lj,IB2i,...IB64i) = 
(PT1,PT2,...,PT64). 

b. Using the corresponding KEY;, process IB; through the DES or Skipjack algorithm 
in the encrypt state, resulting in ciphertext CT^. 

c. Eorward the current values of the loop number i, KEY;, PT, and the resulting CT; 
to the MOVS as specified in Output Type 1. 

d. If the lUT supports the decryption process, retain CT, for use with the Variable 
Key Known Answer test for the Decryption Process for the ECB Mode (Section 
5.1.2.3). 

e. Set KEYi ^.1 equal to the vector consisting of "0" in every significant bit position 
except for a single "1" bit in position i+1. The parity bits may contain "1" or "0" to 
make odd parity. 

NOTE: The above processing continues until every significant basis vector has been 
represented by the KEY parameter. The output from the lUT for this test shall consist of 
56 output strings if DES is implemented and 80 output strings if Skipjack is implemented. 
Each output string shall consist of information included in Output Type 1. 

3. The MOVS shall check the lUT's output for correctness by comparing the received results 
to known values found in Appendix B, Table 2 for DES, or Table 6 for Skipjack. 
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5.1.1.4 Permutation Operation Known Answer Test for the Encryption Process - ECB 
Mode 

NOTE: This test shall only be performed for lUTs of the DES algorithm. 


MOVS; Initialize KEY; (where i= 1-32) = 32 KEY values in Appendix B, Table 3 

PT = 0000000000000000 
Send PT, 32, KEY,, KEY 2 ....,KEY 32 

lUT; EOR i = 1 to 32 
{ 

IB, = PT, 

Perform DES algorithm in encrypt state using KEY,, resulting in CT, 

Send i, KEY,, PT, CT, 

KEY,,., = KEY,,., from MOVS 


MOVS; Compare results with known answers 


Figure 5.4 The Permutation Operation Known Answer Test for the Encryption Process - 
ECB Mode 


Figure 5.4 illustrates the Permutation Operation Known Answer test for the ECB Encryption 
Process. 

1. The MOVS shall: 

a. Initialize the KEY with the 32 constant KEY values from Appendix B, Table 3. 

b. Initialize the plaintext PT to the value of 0, i.e., PT,,g,,= 00 00 00 00 00 00 00 00. 

c. Eorward this information to the lUT using Input Type 7. 

2. The lUT shall perform the following for i= 1 to 32: 

a. Set the input block IB, equal to the value of PT, i.e, (IB I„IB2i,...IB64i) = 
(PTI,PT2,...,PT64). 

b. Using the corresponding KEY,, process IB, through the DES algorithm in the 
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encrypt state, resulting in ciphertext CTj. 

c. Forward the current values of the loop number i, KEY;, PT, and the resulting CT, 
to the MOVS as specified in Output Type 1. 

d. If the lUT supports the decryption process, retain CT; for use with the Permutation 
Operation Known Answer test for the Decryption Process for the ECB mode 
(Section 5.1.2.4). 

e. Set KEYi ^.1 equal to the next KEY supplied by the MOVS. 

NOTE: The above processing shall continue until all 32 KEY values are processed. The 
output from the lUT for this test shall consist of 32 output strings. Each output string 
shall consist of information included in Output Type 1. 


The MOVS shall check the lUT's output for correctness by comparing the received results 
to known values found in Appendix B, Table 3. 



5.1.1.5 Substitution Table Known Answer Test for the Encryption Process - ECB Mode 

NOTE: This test shall only be performed for lUTs of the DES algorithm. 


MOVS: Initialize KEYi (where i=l-19) = 19 KEY values in Appendix B, Table 4 

PTj (where i=l-19) = 19 corresponding PT values in Table 4 
Send 19, KEY;, PTj, KEYj, PTj,..., KEYi,, PTi, 

lUT; FOR i= 1 to 19 
{ 

IBi = PT 

Perform DES algorithm in encrypt state resulting in CT; 

Send i, KEY,, PT,, CT, 

KEY,^i = KEY,^, from MOVS 
PT,^, = PT,^, from MOVS 

} 

MOVS: Compare results with known answers 


Figure 5.5 The Substitution Table Known Answer Test for the Encryption 
Process - ECB Mode 

As summarized in Figure 5.5, the Substitution Table Known Answer test for the ECB Encryption 
Process shall be performed as follows: 

1. The MOVS shall: 

a. Initialize the KEY-plaintext (KEY-PT) pairs with the 19 constant KEY-PT values 
from Appendix B, Table 4. 

b. Eorward this information to the lUT using Input Type 9. 


2. The lUT shall perform the following for i= 1 to 19: 

a. Set the input block IB; equal to the value of PTj, i.e, (IB Ij,IB2i,...IB64i) = 

(PTIi,PT2i,...,PT64i). 

b. Using the corresponding KEY;, process IB; through the DES algorithm in the 
encrypt state, resulting in ciphertext CT;. 

c. Eorward the current values of the loop number i, KEY;, PT;, and the resulting CT; 
to the MOVS as specified in Output Type 1. 
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d. If the lUT supports the decryption process, retain CTj for use with the Substitution 
Table Known Answer test for the Decryption Process for the ECB mode (Section 
5.1.2.5). 

e. Set KEYi ^.1 equal to the next KEY supplied by MOVS. 

f. Set PTi ^.1 equal to the corresponding PT supplied by MOVS. 

NOTE: The above processing shall continue until all 19 KEY-PT pairs are processed. 

The output from the lUT for this test shall consist of 19 output strings. Each output 
string shall consist of information included in Output Type 1. 


The MOVS shall check the lUT's output for correctness by comparing the received results 
to known values found in Appendix B, Table 4. 



5.1.1.6 Modes Test for the Encryption Process - ECB Mode 


MO VS; Initialize KEYq, PTo 
S end KEYo, PTo 

lUT; FOR i= 0 TO 399 
{ 

Record i, KEYi, PTo 
FORj = OTO 9,999 
{ 

IBj = PTj 

Perform algorithm in encrypt state, resulting in CTj 

PTj,,=CTj 

} 

Record CTj 

Send i, KFYi, PTo, CTj 

KFYi^.i= KFYi ® last n bits of CT, where «=64 if DFS, «=80 if Skipjack 

PTo = CT9999 


MO VS; Check lUT's output for correctness 


Figure 5.6 The Modes Test for the Encryption Process - ECB Mode 


As summarized in Figure 5.6, the Modes test for the ECB Encryption Process shall be performed 
as follows: 

1. The MOVS shall: 

a. Initialize the KEY and plaintext PT variables. The PT shall consist of 64 bits, 
while the KEY length shall be dependent on the algorithm implemented by the 
lUT. 

b. Eorward this information to the lUT using Input Type I. 

2. The lUT shall perform the following for i= 0 through 399: 

a. Record the current values of the outer loop number i, KEY;, and PT^. 
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b. Perform the following for j=0 through 9999: 

1. Set the input block IBj equal to the value of PTj, i.e., (IBlj, IB2j,IB64j) 
= (PTlj, PT2j,..., PT64j). 

ii. Process IBj through the DES or Skipjack algorithm in the encrypt state 
resulting in CTj. 

hi. Prepare for loop j+1 by assigning PTj+i with the current value of CTj, i.e., 
(PTlj^i, PT2j,„ ... PT64j,i) = (CTlj, CT2j,..., CT64j). 

c. Record CTj. 

d. Forward all recorded information for this loop, as specified in Output Type 1, to 
the MO VS. 

e. Assign a new value to KEY in preparation for the next outer loop. The new KEY 
shall be calculated by exclusive-ORing the current KEY with the current CT. For 
lUTs of the DES algorithm, this shall equate to (KEYl;^!, KEY2i^i,... KEY64i^.i) 
= (KEYlieCTl,,^, KEY 2 ieCT 25559 ,... KEYbdieCTbd^^). 

For lUTs of the Skipjack algorithm, CT shall be expanded in length to 80 bits (the 
length of a Skipjack key) before the new KEY can be formed. This expansion 
shall be accomplished by concatenating the 16 rightmost bits of the previous CT 
(CTgggg) with thc 64 bits of the current CT (CT 9999 ). This value shall then be 
exclusive-ORed with the current KEY to form the new KEY, i.e., (KEYli^.i, 
KEY 2 i^i,... KEY80i^i) = (KEYlieCT499998, KEY2ieCT509998,... 
KEY16ieCT649998, KEYITieCTl 9999 , KEY18ieCT29999,... KEY80ieCT649999). 

f. Assign a new value to PT in preparation for the next outer loop. PTq shall be 
assigned the value of the current CT, i.e., (PTlg, PT2o,...,PT64o) = (CTI 9999 , 
CT 29999 ,...,CT 649999 ). (Notc that the new PT shall be denoted as PTq to be used 
for the first pass through the inner loop when j= 0 .) 

NOTE: The output from the lUT for this test shall consist of 400 output strings. Each 
output string shall consist of information included in Output Type 1. 


3. The MO VS shall check the lUT's output for correctness by comparing the received results 

to known values. 
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5.1.2 Decryption Process 

The process of validating an lUT for the ECB mode of the DES algorithm which implements the 
decryption process shall involve the successful completion of the following six tests: 


1. The Variable Ciphertext Known Answer Test 

2. The Initial Permutation Known Answer Test 

3. The Variable Key Known Answer Test for the Decryption Process 

4. The Permutation Operation Known Answer Test for the Decryption Process 

5. The Substitution Table Known Answer Test for the Decryption Process 

6. The Modes Test for the Decryption Process 

The validation process for an lUT of the Skipjack algorithm using the ECB mode of operation in 
the decryption process shall require the successful completion of tests 1, 2, 3, and 6 only. 

An explanation of the tests follows. 
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5.1.2.1 The Variable Ciphertext Known Answer Test - ECB Mode 


MO VS; Initialize KEY; If DES, KEY=0101010101010101 (odd parity set) 

If Skipjack, KEY=00000000000000000000 

If encryption is supported by lUT; 

Send KEY 

If encryption is not supported by lUT; 

Initialize CT values; If DES, use values in Appendix B, Table 1 

If Skipjack, use values in Appendix B, Table 5 
Send KEY, 64, CTj, CT 2 ,...CT 64 

lUT; If encryption is supported by lUT; 

Initialize CT, = first value from output of Variable Plaintext Known Answer test. 
Otherwise, use the first value received from the MO VS. 

FOR i = 1 to 64 

{ 

IB, = CT, 

Perform algorithm in decrypt state, resulting in PT, 

Send i, KEY, CT,, PT, 

If encryption is supported; 

CT,,.i= corresponding CT,,., from output of Variable Plaintext Known Answer test 

else 

CT,.,.,= the corresponding CT,.,., value from MO VS 

} 

MO VS; Compare results from each loop with known answers 


Figure 5.7 The Variable Ciphertext Known Answer Test - ECB Mode 


As summarized in Figure 5.7, the Variable Ciphertext Known Answer test for the ECB Mode of 
Operation shall be performed as follows: 

1. The MOVS shall: 

a. Initialize the KEY parameter to the constant hexadecimal value 0. Eor lUTs of the 
DES algorithm, KEY,,g„ = 01 01 01 01 01 01 01 01. Note that the significant bits 
are set to "0" and the parity bits are set to "1" to make odd parity. Eor lUTs of 
the Skipjack algorithm, KEY,,^,, = 00 00 00 00 00 00 00 00 00 00. 

b. If the lUT implements the DES algorithm and it does not support encryption. 
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initialize the 64 ciphertext CT values with the 64 constant CT values from 
Appendix B, Table 1. Likewise, if the lUT is of the Skipjack algorithm, and it 
does not support encryption, initialize the 64 ciphertext CT values with the 64 
constant CT values from Appendix B, Table 5. 

c. If encryption is supported by the lUT, forward the KEY to the lUT using Input 
Type 4. If encryption is not supported by the lUT, forward the KEY and 64 CT 
values to the lUT using Input Type 3. 


2. The lUT shall: 

a. If encryption is supported, initialize the CT value with the first CT value retained 
from the Variable Plaintext Known Answer test for the ECB Mode (Section 

5.1.1.1). Otherwise, use the first value received from the MO VS. 

b. Perform the following for i=l through 64: 

i. Set the input block IB; equal to the value of CT^, i.e., (IBli,IB2i,...,IB64i) = 
(CTli,CT2„...,CT64i). 

ii. Process IB; through the DES or Skipjack algorithm in the decrypt state, 
resulting in plaintext PTj. 

hi. Forward the current values of the loop number i, KEY, CTj, and the 
resulting PT; to the MOVS as specified in Output Type 1. 

iv. Retain PT; for use with the Initial Permutation Known Answer test for the 
ECB mode (Section 5.1.2.2). 

V. If encryption is supported, set CTj^.! equal to the corresponding output 
from the Variable Plaintext Known Answer test for the ECB mode. If 
encryption is not supported, assign a new value to CTj^.! by setting it equal 
to the corresponding CTj^j value supplied by the MOVS. 

NOTE: The output from the lUT for this test shall consist of 64 output strings. Each 
output string shall consist of information included in Output Type 1. 

3. The MOVS shall check the lUT's output for correctness by comparing the received results 
to known values. 
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5.1.2.2 The Initial Permutation Known Answer Test - ECB Mode 


MO VS; Initialize KEY; If DES, KEY=0101010101010101 (odd parity set) 

If Skipjack, KEY=00000000000000000000 

CT| (where i=l-64) = 64 PT values from Variable Ciphertext Known Answer test 
Send KEY, 64, CT„ CT 2 ,...CT 64 

lUT; Initialize CT, = first value from output of Variable Ciphertext Known Answer test. 

EOR i = 1 to 64 
{ 

IB, = CT, 

Perform algorithm in decrypt state, resulting in PTj 
Send i, KEY, CT,, PT, 

CTi^.,= the corresponding CTj^., value from MO VS 


MO VS; Compare results from each loop with known answers. Eor DES, use Appendix B, Table 1. Eor 
Skipjack, use Appendix B, Table 5. 


Figure 5.8 The Initial Permutation Known Answer Test - ECB Mode 


As summarized in Figure 5.8, the Initial Permutation Known Answer test for the ECB Mode of 
Operation shall be performed as follows: 

1. The MOVS shall: 

a. Initialize the KEY parameter to the constant hexadecimal value 0. Eor lUTs of the 
DES algorithm, KEY,,g,; = 01 01 01 01 01 01 01 01. Note that the significant bits 
are set to "0" and the parity bits are set to " 1" to make odd parity. Eor lUTs of 
the Skipjack algorithm, KEY^^,; = 00 00 00 00 00 00 00 00 00 00. 

b. Initialize the 64 CT values with the 64 PT values obtained from the Variable 
Ciphertext Known Answer test. 

c. Eorward the KEY and the 64 CT values to the lUT using Input Type 3. 


2. The lUT shall perform the following for i=l through 64: 

a. Set the input block IB; equal to the value of CTj, i.e., (IBli,IB2i,...,IB64i) = 
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(CT1„CT2„...,CT64,). 


b. Process IB; through the DBS or Skipjack algorithm in the decrypt state, resulting 
in plaintext PT,. 

c. Forward the current values of the loop number i, KEY, CTj, and the resulting PT; 
to the MOVS as specified in Output Type 1. 

d. Set equal to the corresponding value supplied by the MOVS. 

NOTE: The output from the lUT for this test shall consist of 64 output strings. Each 
output string shall consist of information included in Output Type 1. 

The MOVS shall check the lUT's output for correctness by comparing the received results 
to known values. 



5.1.2.3 The Variable Key Known Answer Test for the Decryption Process - ECB Mode 


MO VS; Initialize KEYi; If DES, KEYj = 8001010101010101 (odd parity) 

If Skipjack, KEY, = 80000000000000000000 

If encryption is supported by the lUT; 

Send KEY, 

If encryption is not supported by the lUT; 

Initialize CT values; If DES, initialize CT values with values in Appendix B, Table 2 
If Skipjack, initialize CT values with values in Appendix B, 
Table 6 

Send KEY,, n (where «=64 if DES, 80 if Skipjack), CT„ CT 2 ,...,CT„ 

lUT; If encryption is supported by the lUT; 

Initialize CT, = first value from output of Variable Key Known Answer test for the 
Encryption Process for the ECB Mode. 

Otherwise, use the first value received from the MO VS. 

EOR i = 1 to «, where « = 64 if DES, 80 if Skipjack 

{ 

IE (algorithm == SKIPJACK) {process every bit} 

OR 

(algorithm == DES AND i %8 != 0) 

(process every bit except parity bits} 

{ 

IB, = CT, 

Perform algorithm in decrypt state, resulting in PT, 

Send i, KEY,, CT„ PT, 

KEYj^., = vector consisting of "0" in every 

significant bit position except for a single " 1" bit in position 
i+1. Note that odd parity is set. 

If encryption is supported by the lUT; 

CTi^.,= corresponding CTj^., from output of Variable Key 
Known Answer test for the Encryption Process for the ECB 
Mode 

else 

CTi^.,= corresponding CTj^., from MOVS 



MO VS; Compare results of the n decryptions with known answers 


Figure 5.9 The Variable Key Known Answer Test for the Decryption Process - ECB 
Mode 
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Figure 5.9 illustrates the Variable Key Known Answer test for the ECB Decryption Process. 


1. The MOVS shall: 

a. Initialize the KEYj to contain "0" in every significant bit except for a "1" in the 
first position. Eor example, if validating an lUT of the DES algorithm, the 64 bit 

KEYib,n = 1000000 00000001 00000001 00000001 00000001 00000001 

00000001 00000001. The equivalent of this value in hexadecimal notation is 80 
01 01 01 01 01 01 01. Note that the parity bits are set to "0" or "1" to set odd 
parity. 

If validating an lUT of the Skipjack algorithm, the 80 bit KEY; ^in = 10000000 
00000000 00000000 00000000 00000000 00000000 00000000 00000000 
00000000 00000000. The equivalent of this value in hexadecimal notation is 80 
00 00 00 00 00 00 00 00 00 . 

b. If the lUT implements the DES algorithm and encryption is not supported, 
initialize CT; values with the 56 constant CT values from Appendix B, Table 2. If 
the lUT implements the Skipjack algorithm, and encryption is not supported, 
initialize CT; values with the 80 constant CT values from Appendix B, Table 6. 

c. If encryption is not supported by the lUT, forward KEY and the CT values to the 
lUT using Input Type 3. Otherwise, forward the KEY to the lUT using Input 
Type 4. 

2. The lUT shall: 

a. If encryption is supported, initialize the CT value with the first CT value retained 
from the Variable Key Known Answer test for the Encryption Process for the ECB 
Mode (Section 5.1.1.3). Otherwise, use the first value received from the MOVS. 

b. Perform the following for i=l to n, where n = 56 for DES or 80 for Skipjack: 

i. Set the input block IB; equal to the value of CTj, i.e., (IBlj, IB2i,..., IB64i) 

= (CTlj, CT2„...,CT64i). 

ii. Process IB; through the DES or Skipjack algorithm in the decrypt state, 
resulting in plaintext PTj. 

hi. Eorward the current values of the loop number i, KEY;, CTj, and the 
resulting PT; to the MOVS as specified in Output Type 1. 
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iv. Set KEYi ^.1 equal to the vector consisting of "0" in every significant bit 
position except for a single "1" bit in position i+1. The parity bits are set 
for odd parity. 

V. If encryption is supported, set equal to the corresponding value 
retained from the Variable Key Known Answer test for the Encryption 
Process for ECB mode. If encryption is not supported by the lUT, set 
equal to the corresponding value supplied by the MO VS. 

NOTE: The output from the lUT for this test shall consist of 56 output strings if DES is 
implemented or 80 output strings if Skipjack is implemented. Each output string shall 
consist of information included in Output Type 1. 

3. The MO VS shall check the lUT's output for correctness by comparing the received results 
to known values. 
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5.1.2.4 Permutation Operation Known Answer Test for Decryption Process - ECB Mode 


NOTE: This test shall only be performed for lUTs of the DES algorithm. 


MOVS; Initialize KEY; (where i=l-32) = KEY values in Appendix B, Table 3 

If encryption is supported by the lUT; 

Send 32, KEY,, KEYj,..., KEY 32 
If encryption is not supported by the lUT; 

Initialize CT, (where i=l-32) = corresponding CT values in Table 3 
Send 32, KEY,, CT,, KEY 2 , CT 2 ,...,KEY 32 , CT 32 

lUT; If encryption is supported by the lUT: 

Initialize CT, = first value retained from Permutation Operation Known Answer test for 
the Encryption Process for the ECB Mode. 

Otherwise, use the first values received from the MOVS. 

FOR i = 1 to 32 

{ 

IB; = CT; 

Perform DES algorithm in decrypt state using KEY;, resulting in PT; 

Send i, KEY;, CT;, PT; 

KEY;,., = corresponding KEY supplied by MOVS 
If encryption is supported by the lUT; 

CT; 3 .,= the corresponding CT;,., retained from Permutation Operation Known 
Answer test for the Encryption Process for the ECB Mode 

else 

CT; 3 .,= the corresponding CT;,., from MOVS 

} 

MOVS; Compare results from each loop with known answers 


Figure 5.10 The Permutation Operation Known Answer Test for the Decryption Process - 
ECB Mode 


As summarized in Figure 5.10, the Permutation Operation Known Answer test for the ECB 
Decryption Process shall be performed as follows: 

1. The MOVS shall: 

a. If the lUT supports encryption, initialize the KEY values with the 32 constant 
KEY values supplied from Table 3. If the lUT does not support encryption, 
initialize the KEY-ciphertext (KEY-CT) pairs with the 32 constant KEY-CT pairs 
from Appendix B, Table 3. 
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b. If encryption is supported by the lUT, forward the 32 KEY values using Input 

Type 10. If encryption is not supported by the lUT, forward the 32 KEY and CT 
pairs to the lUT using Input Type 9. 


2. The lUT shall: 

a. If encryption is supported by the lUT, initialize the CT value with the first CT 
value retained from the Permutation Operation Known Answer test for the 
Encryption Process for the ECB Mode (Section 5.1.1.4). Otherwise, use the first 
value received from the MO VS. 

b. Perform the following for i = 1 to 32: 

i. Set the input block IB; equal to the value of CTj, i.e, 

(IB 1 „IB2„.. .IB64,)=(CT 1 i,CT2„..., CT64,). 

ii. Using the corresponding KEY;, process IB, through the DES algorithm in 
the decrypt state, resulting in plaintext PT,. 

hi. Eorward the current values of the loop number i, KEY;, CTj, and the 
resulting PT; to the MOVS as specified in Output Type 1. 

iv. Assign a new value to KEYi^.^ by setting it equal to the corresponding KEY 
value supplied by the MOVS. 

V. If encryption is supported, set CTj^.! equal to the corresponding CT value 
retained from the Permutation Operation Known Answer test for the 
Encryption Process for ECB mode. If encryption is not supported, set 
CTj^.! equal to the corresponding CT value supplied by the MOVS. 

NOTE: The above processing shall continue until all 32 KEY-CT values are passed as 
specified in Input Type 9 or all 32 KEY values are passed as specified in Input Type 10. 
The output from the lUT for this test shall consist of 32 output strings. Each output 
string shall consist of information included in Output Type 1. 


3. The MOVS shall check the lUT's output for correctness by comparing the received results 
to known values. 
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5.1.2.5 Substitution Table Known Answer Test for the Decryption Process - ECB Mode 


NOTE: This test shall only be performed for lUTs of the DES algorithm. 


MO VS; Initialize KEYj (where i=l-19) = KEY values in Appendix B, Table 4 

If encryption is supported by the lUT; 

Send 19, KEY,, KEY 2 ,...,KEYi 5 
If encryption is not supported by the lUT; 

Initialize CT, (where i=l-19) = corresponding CT values in Table 4 
Send 19, KEY,, CT„ KEY 2 , CT 2 ,...,KEY,„ CT„ 

lUT; If encryption is supported by the lUT; 

Initialize CT, = first value from output of Substitution Table Known Answer test for the 
Encryption Process for the ECB Mode. 

Otherwise, use the first value received from the MO VS. 

EOR i = 1 to 19 

{ 

IB, = CT, 

Perform DES algorithm in decrypt state using KEY,, resulting in PT, 

Send i, KEY,, CT„ PT, 

KEY,,., = corresponding KEY,,., supplied by MOVS 
If encryption is supported 

CTi,.,= corresponding CT,,., from output of Substitution Table Known 
Answer test for the Encryption Process for the ECB Mode 

else 

CTi,.,= the corresponding CT,,., from MO VS 

} 

MO VS; Compare results from each loop with known answers 


Figure 5.11 The Substitution Table Known Answer Test for the Decryption Process - ECB 
Mode 


Figure 5.11 illustrates the Substitution Table Known Answer test for the ECB Decryption 
Process. 

1. The MOVS shall: 

a. If the lUT supports encryption, initialize the KEY values with the 19 constant 
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KEY values supplied from Appendix B, Table 4. If the lUT does not support 
encryption, initialize the KEY-ciphertext (KEY-CT) pairs with the 19 constant 
KEY-CT pairs from Appendix B, Table 4. 

b. If encryption is supported by the lUT, forward the 19 KEY values using Input Type 
10. Forward the 19 KEY-CT pairs to the lUT using Input Type 9 if encryption is not 
supported by the lUT. 


2. The lUT shall: 

a. If encryption is supported, initialize the CT value with the first CT value retained 
from the Substitution Table Known Answer test for the Encryption Process for the 
ECB Mode (Section 5.1.1.5). Otherwise, use the first value received from the 
MO VS. 

b. Perform the following for i = 1 to 19: 

i. Set the input block IB; equal to the value of CTj, i.e, (IBIi,IB2i,...IB64i) = 
(CTIi,CT2„...,CT64i). 

ii. Using the corresponding KEY;, process IB; through the DES algorithm in the 
decrypt state, resulting in plaintext PT,. 

hi. Forward the current values of the loop number i, KEY;, CTj, and the resulting 
PTj to the MOVS as specified in Output Type 1. 

iv. Set KEYi ^.1 equal to the corresponding KEY supplied by MOVS. 

V. If encryption is supported, set CTj^.! equal to the corresponding CT value 
retained from the Substitution Table Known Answer test for the Encryption 
Process for the ECB mode. If encryption is not supported, set CTj^.! equal to 
the corresponding CT value supplied by the MOVS. 

NOTE: The above processing shall continue until all 19 KEY-CT pairs, as specified in Input 
Type 9, or all 19 KEY values, as specified in Input Type 10, are processed. The output from 
the lUT for this test shall consist of 19 output strings. Each output string shall consist of 
information included in Output Type 1. 


3. The MOVS shall check the lUT's output for correctness by comparing the received results to 
known values. 
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5.1.2.6 Modes Test for the Decryption Process - ECB Mode 


MO VS; Initialize KEYo, CTo 

Send KEYo, CTo 

lUT; FOR i = 0 TO 399 
{ 

Record i, KEYo CTo 
FORj = OTO 9,999 
{ 

IBj = CTj 

Perform algorithm in decrypt state, resulting in PTj 

CTj,, = PTj 

} 

Record PTj 

Send i, KEYo CTo, PT^ 

KEY,^, = KEY, ® last n bits of PT, 

where «=64 if DES and «=80 if Skipjack 

CTo = PT9999 


MOVS;Check lUT's output for correctness 


Figure 5.12 The Modes Test for the Decryption Process - ECB Mode 


Figure 5.12 illustrates the Modes test for the ECB Decryption Process. 

1. The MOVS shall: 

a. Initialize KEY and ciphertext CT variables. The CT shall consist of 64 bits, while the 
KEY length shall be dependent on the algorithm implemented by the lUT. 

b. Eorward these values to the lUT using Input Type 1. 

2. The lUT shall perform the following for i=0 through 399: 

a. Record the current values of the outer loop number i, the KEY;, and the CTq. 

b. Perform the following for j=0 through 9999: 

i. Set the input block IBj equal to the value of CTj, i.e., (IBlj, IB2j,..., IB64j) = 
(CTlj, CT2j,..., CT64j). 
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Process IBj through the DBS or Skipjack algorithm in the decrypt state, 
resulting in plaintext PTj. 


ii. 


hi. Prepare for loop j+1 by assigning with the current value of PTj, i.e., 
(CTlj^i, CT2j,i,... CT64j,i) = (PTlj, PT2j,..., PT64j). 


c. Record the PTj. 

d. Output all recorded information for this loop as specified in Output Type 1. 

e. Assign a new value to the KEY in preparation for the next outer loop. The new KEY 
shall be calculated by exclusive-ORing the current KEY with the current PT. Eor 
lUTs of the DBS algorithm, this shall equate to (KEYli^.i, KEY2i^.i,... KEY64i^.i) = ( 
(KEYl.ePTlgggg, KEY 2 iePT 29999 ,... KEYbdiePTbd^^). 

Eor lUTs for the Skipjack algorithm, the PT shall be expanded in length to 80 bits 
(the length of a Skipjack key) before the new KEY can be formed. This expansion 
shall be accomplished by concatenating the 16 rightmost bits of the previous PT 
(PTgggg) with tho 64 bits of the current PT (PT 9999 ). This value shall then be exclusive- 
ORed with the current KEY to form the new KEY, i.e., (KEYli^.i, KEY2i^.i, ... 
KEY80i^i) = (KEYliePT499998, KEY2iePT509998,... KEYlbiePTbdgggg, 
KEYlV.ePTlgggg, KEY 1 8 iePT 29999 ,... KEY80,ePT649999). 

f. Assign a new value to CT in preparation for the next outer loop. CTq shall be 
assigned the value of the current PT, i.e., (CTIq, CT2o,...,CT64o) = (PTI 9999 , 
PT 29999 ,...,PT 649999 ). (Note that the new CT shall be denoted as CT^ to be used for 
the first pass through the inner loop when j= 0 .) 

NOTE: The output from the lUT for this test shall consist of 400 output strings consisting of 

information included in Output Type 1. 


3. The MO VS shall check the lUT's output for correctness by comparing the received results to 

known values. 
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5.2 Cipher Block Chaining (CBC) Mode 


The lUTs for the DBS or Skipjack algorithm in the Cipher Block Chaining (CBC) mode shall be 
validated by successfully completing a series of Known Answer tests and Modes tests corresponding 
to the cryptographic processes allowed by the lUT. 


5.2.1 Encryption Process 

The process of validating an lUT for the DBS algorithm which implements the encryption process of 
the CBC mode of operation shall involve the successful completion of the following six tests: 

1. The Variable Plaintext Known Answer Test - CBC mode 

2. The Inverse Permutation Known Answer Test - CBC mode 

3. The Variable Key Known Answer Test for the Bncryption Process - CBC mode 

4. The Permutation Operation Known Answer Test for the Bncryption Process - CBC mode 

5. The Substitution Table Known Answer Test for the Bncryption Process - CBC mode 

6. The Modes Test for the Bncryption Process - CBC mode 

The validation process for an lUT of the Skipjack algorithm which implements the encryption 
process of the CBC mode of operation shall require the successful completion of tests 1, 2, 3, and 6 
only. 

An explanation of the tests follows. 
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5.2.1.1 The Variable Plaintext Known Answer Test - CBC Mode 


MO VS; Initialize KEY; If DES, KEY = 0101010101010101 (odd parity set) 

If Skipjack, KEY = 00000000000000000000 
IV = 0000000000000000 
PT, = 8000000000000000 
Send KEY, IV, PT, 

lUT; FOR i = 1 to 64 
{ 

IBi= PT,® IV 

Perform algorithm in encrypt state, resulting in CT, 

Send i, KEY, IV, PT,, CT, 

PT,,., = basis vector where single "1" bit is in position i+1 


MO VS; Compare results from each loop with known answers 

If DES, use Appendix B, Table 1. If Skipjack, use Appendix B, Table 5. 


Figure 5.13 The Variable Plaintext Known Answer Test - CBC Mode 


Figure 5.13 illustrates the Variable Plaintext Known Answer test for the CBC mode. 

1. The MOVS shall: 

a. Initialize the KEY parameter to the constant hexadecimal value 0. For lUTs of the 
DES algorithm, the KEY,,^,; = 01 01 01 01 01 01 01 OE Note that the significant 
bits are set to "0" and the parity bits are set to "1" to make odd parity. 

For lUTs of the Skipjack algorithm, the KEY,,^,; = 00 00 00 00 00 00 00 00 00 00. 

b. Initialize the 64 bit IV parameter to the constant hexadecimal value 0, i.e., IV,,gx = 

00 00 00 00 00 00 00 00 . 

c. Initialize the 64 bit plaintext PT, to the basis vector containing a "1" in the first bit 
position and "0" in the following 63 positions, i.e., PT, = 10000000 00000000 
00000000 00000000 00000000 00000000 00000000 00000000. The equivalent 
of this value in hexadecimal notation is 80 00 00 00 00 00 00 00. 

d. Forward this information to the lUT using Input Type 2. 


2. The lUT shall perform the following for i = 1 through 64: 
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a. Calculate the input block IB; by exclusive-ORing PT; with IV, i.e., 
(IBl„IB2.,...IB64i) = (PTlieIVl,PT2ieIV2,..., PT64ieIV64). 

b. Process IB; through the DBS or Skipjack algorithm in the encrypt state, resulting 
in ciphertext CTj. 

c. Forward the current values of the loop number i, KEY, IV, PT;, and the resulting 
CT; to the MOVS as specified in Output Type 2. 

d. Retain CT; for use with the Inverse Permutation Known Answer test for the CBC 
Mode of Operation (Section 5.2.1.2), and, if the lUT supports decryption, for use 
with the Variable Ciphertext Known Answer test for the CBC Mode (Section 
5.2.2.1). 

e. Assign a new value to PT^^.! by setting it equal to the value of a basis vector with a 
"1" bit in position i+1, where i+l=2..64. 

NOTE: This continues until every possible basis vector has been represented by the PT, 
i.e. 64 times. The output from the lUT shall consist of 64 output strings. Each output 
string shall consist of information included in Output Type 2. 

3. The MOVS shall check the lUT's output for correctness by comparing the received results 
to known values found in Appendix B, Table 1 for DES or Table 5 for Skipjack. 
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5.2.1.2 The Inverse Permutation Known Answer Test - CBC Mode 


MO VS; Initialize KEY; If DES, KEY = 0101010101010101 (odd parity set) 

If Skipjack, KEY = 00000000000000000000 
IV = 0000000000000000 

PTj (where i=l-64) = 64 CT values from the Variable Plaintext Known Answer 
test 

Send KEY, IV, 64, PT,..PT 64 

lUT; FOR i = 1 to 64 
{ 

IBi= PT,® IV 

Perform algorithm in encrypt state, resulting in CTj 
Send i, KEY, IV, PT„ CT, 

PTi ^.1 = corresponding PTj^.! from MO VS 

} 

MO VS; Compare results from each loop with known answers 
Should be the set of basis vectors 


Figure 5.14 The Inverse Permutation Known Answer Test - CBC Mode 


Figure 5.14 illustrates the Inverse Permutation Known Answer test for the CBC mode. 

1. The MOVS shall: 

a. Initialize the KEY parameter to the constant hexadecimal value 0. For lUTs of the 
DES algorithm, the KEY,,g,; = 01 01 01 01 01 01 01 01. Note that the significant 
bits are set to "0" and the parity bits are set to "1" to make odd parity. 

For lUTs of the Skipjack algorithm, the KEY^g,^ = 00 00 00 00 00 00 00 00 00 00. 

b. Initialize the 64 bit IV parameter to the constant hexadecimal value 0, i.e., = 

00 00 00 00 00 00 00 00 . 

c. Initialize the 64 bit plaintext values PT; (where i=l-64) to the CT; results obtained 
from the Variable Plaintext Known Answer test. 

d. Forward this information to the lUT using Input Type 5. 


2. The lUT shall perform the following for i = 1 through 64: 

a. Calculate the input block IB; by exclusive-ORing PT; with IV, i.e.. 
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(IBl„IB2i,...IB64i) = (PTlieIVl,PT2ieIV2,..., PT64ieIV64). 


b. Process IB; through the DBS or Skipjack algorithm in the encrypt state, resulting 
in ciphertext CTj. 

c. Forward the current values of the loop number i, KEY, IV, PTj, and the resulting 
CT; to the MOVS as specified in Output Type 2. 

d. Assign a new value to PT^^.! by setting it equal to the corresponding output from 
the Variable Plaintext Known Answer test for the CBC mode. 

NOTE: This processing continues until all ciphertext values from the Variable Plaintext 
Known Answer test have been used as input. The output from the lUT shall consist of 64 
output strings. Each output string shall consist of information included in Output Type 2. 

3. The MOVS shall check the lUT's output for correctness by comparing the received results 
to known values. The CT values should be the set of basis vectors that were used as 
plaintext for the Variable Plaintext Known Answer test. 
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5.2.1.3 The Variable Key Known Answer Test for the Encryption Process - CBC Mode 


MOVS; Initialize KEYii If DES, KEYj = 8001010101010101 (with odd parity) 

If Skipjack, KEY, = 80000000000000000000 
IV =0000000000000000 
PT = 0000000000000000 
Send KEY,, IV, PT 


lUT: FOR i = 1 to «, where « = 64 if DBS, 80 if Skipjack 

{ 

IF (algorithm == SKIPJACK) {process every bit} 

OR 

(algorithm == DES AND i %8 != 0) 

(process every bit except parity bits} 

{ 

IB, = PT ® IV 

Perform algorithm in encrypt state using KEY,, resulting in CT, 

Send i, KEY,, IV, PT, CT, 

KEY,,., = vector consisting of "0" in every significant bit position 
except for a single "1" bit in position i+1. Note that parity bits are "0" 
or "1" to make the KEY odd parity. 

} 

I 

MOVS; Compare results of the n encryptions with known answers 

For DES, use Appendix B, Table 2. For Skipjack, use Appendix B, Table 6. 


Figure 5.15 The Variable Key Known Answer Test for the Encryption Process - CBC 
Mode 

As summarized in Figure 5.15, the Variable Key Known Answer test for the CBC Eneryption 
Process shall be performed as follows: 

1. The MOVS shall: 

a. Initialize KEY, to contain "0" in every significant bit except for a "1" in the first 

position. Eor example, if validating an lUT of the DES algorithm, the 64 bit KEY, 
= 10000000 00000001 00000001 00000001 00000001 00000001 00000001 
00000001. The equivalent of this value in hexadecimal notation is 80 01 01 01 01 
01 01 OE Note that the parity bits are set to "0" or "1" to get odd parity. 
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If validating an lUT for the Skipjack algorithm, the 80 bit KEY; ^in = 10000000 
00000000 00000000 00000000 00000000 00000000 00000000 00000000 
00000000 00000000. The equivalent of this value in hexadecimal notation is 80 
00 00 00 00 00 00 00 00 00 . 

b. Initialize the 64 bit initialization vector IV to the value of 0, i.e., IV,,g,^=00 00 00 00 

00 00 00 00 . 

c. Initialize the 64 bit plaintext PT to the value of 0, i.e., PT,,g,(=00 00 00 00 00 00 00 
00 . 

d. Forward this information to the lUT using Input Type 2. 


2. The lUT shall perform the following for i = 1 to n: (NOTE: n equals the number of 

significant bits in a DES or Skipjack key.) 

a. Calculate the input block IB, by exclusive-ORing PT with the IV, i.e, 
(IB1„IB2„...IB64,) = (PTleIVl,PT2eIV2,...,PT64eIV64). 

b. Using the corresponding KEY;, process IB; through the DES or Skipjack algorithm 
in the encrypt state, resulting in ciphertext CT,. 

c. Forward the current value of the loop number i, KEY;, IV, PT, and the resulting 
CT; to the MOVS as specified in Output Type 2. 

d. If the lUT supports decryption, retain CTj for use with the Variable Key Known 
Answer test for the Decryption Process for the CBC Mode (Section 5.2.2.3). 

e. Set KEYi ^.1 equal to the vector consisting of "0" in every significant bit position 
except for a single "1" bit in position i+1. The parity bits are set for odd parity. 

NOTE: The above processing continues until every significant basis vector has been 

represented by the KEY parameter. The output from the lUT for this test shall consist of 

56 output strings if DES is implemented and 80 output strings if Skipjack is implemented. 

Each output string shall consist of information included in Output Type 2. 


3. The MOVS shall check the lUT's output for correctness by comparing the received results 
to known values found in Appendix B, Table 2 for DES or Table 6 for Skipjack. 
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5.2.1.4 Permutation Operation Known Answer Test for the Encryption Process - CBC 
Mode 


NOTE: This test shall only be performed for lUTs of the DES algorithm. 


MOVS; Initialize KEYj (where i=l-32) = 32 KEY values in Appendix B, Table 3 

IV = 0000000000000000 
PT = 0000000000000000 
Send PT, IV, KEYi, KEY 2 ,... KEY 32 

lUT; FOR i = 1 to 32 
{ 

IB, = PT ® IV 

Perform DES algorithm in encrypt state using KEYj, resulting in CTj 
Send i, KEY,, IV, PT, CT, 

KEY,,.! = key,,.! from MOVS 


MOVS; Compare results with known answers 


Figure 5.16 The Permutation Operation Known Answer Test for the Encryption Process 
- CBC Mode 


Figure 5.16 illustrates the Permutation Operation Known Answer test for the CBC Encryption 
Process. 

1. The MOVS shall: 

a. Initialize KEY;, where i=l-32, with the 32 constant KEY values from Appendix B, 
Table 3. 

b. Initialize the 64 bit IV to the value of 0, i.e., IV,,g,;=00 00 00 00 00 00 00 00. 

c. Initialize the plaintext PT to the value of 0, i.e., PT,,g,;=00 00 00 00 00 00 00 00. 

d. Eorward this information to the lUT using Input Type 8. 

2. The lUT shall perform the following for i = 1 to 32: 

a. Calculate the input block IB; by exclusive-ORing PT with IV, i.e, 
(IBli,IB2„...IB64i) = (PTleIVl,PT2eIV2,..., PT64eIV64). 
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b. Using the corresponding KEY;, process IB; through the DES algorithm in the 
encrypt state, resulting in ciphertext CTj. 

c. Forward the current value of the loop number i, KEY^, IV, PT, and the resulting 
CT; to the MOVS as specified in Output Type 2. 

d. If the lUT supports decryption, retain CT; for use with the Permutation Operation 
Known Answer test for the Decryption Process for the CBC mode (Section 
5.2.2.4). 

e. Set KEYj^.! equal to the corresponding KEY supplied by the MOVS. 

NOTE: The above processing shall continue until all 32 KEY values as specified in Input 
Type 8 are processed. The output from the lUT for this test shall consist of 32 output 
strings. Each output string shall consist of information included in Output Type 2. 

3. The MOVS shall check the lUT's output for correctness by comparing the received results 
to known values found in Appendix B, Table 3. 
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5.2.1.5 Substitution Table Known Answer Test for the Encryption Process - CBC Mode 


NOTE: This test shall only be performed for lUTs of the DES algorithm. 


MOVS; Initialize KEY; (where i=l-19) = 19 KEY values in Appendix B, Table 4 

PTi = (where i=l-19) = 19 corresponding PT values in Table 4 
IV = 0000000000000000 

Send IV, 19, KEY,, PT„ KEYj, PT 2 ,...,KEYi 5 , PT,, 

lUT; FOR i = 1 to 19 
{ 

IB, = PT, ® IV 

Perform DES algorithm in encrypt state using KEY,, resulting in CT, 

Send i, KEY,, IV, PT., CT. 

KEY.,., = KEY.,., from MOVS 

PTj.^, = corresponding PTj.^, from MOVS 

} 

MOVS; Compare results from each loop with known answers 


Figure 5.17 The Substitution Table Known Answer Test for the Encryption Process - 
CBC Mode 


As summarized in Figure 5.17, the Substitution Table Known Answer test for the CBC 
Encryption Process shall be performed as follows: 

1. The MOVS shall: 

a. Initialize the KEY-plaintext (KEY-PT) pairs with the 19 constant KEY-PT values 
from Appendix B, Table 4. 

b. Initialize IV to the value of 0, i.e., IV,,g,;=00 00 00 00 00 00 00 00. 

c. Eorward this information to the lUT using Input Type 11. 

2. The lUT shall perform the following for i = 1 to 19: 

a. Calculate the input block IB, by exclusive-ORing PT, with the IV, i.e. 


69 





(IB1„IB2„...IB64,) = (PTlieIVl,PT2ieIV2,...,PT64,eIV64). 


b. Using the corresponding KEY;, process IB; through the DES algorithm in the 
encrypt state, resulting in ciphertext CTj. 

c. Forward the current value of the loop number i, KEY;, IV, PTj, and the resulting 
CT, to the MOVS as specified in Output Type 2. 

d. If the lUT supports decryption, retain CT; for use with the Substitution Table 
Known Answer test for the CBC Decryption Process (Section 5.2.2.5). 

e. Set KEYi ^.1 equal to the corresponding KEY value supplied by MOVS. 

f. Set PTi ^.1 equal to the corresponding PT value supplied by MOVS. 

NOTE: The above processing continues until all 19 KEY-PT pairs, as specified in Input 
Type II, are processed. The output from the lUT for this test shall consist of 19 output 
strings. Each output string shall consist of information included in Output Type 2. 

3. The MOVS shall check the lUT's output for correctness by comparing the received results 
to known values found in Appendix B, Table 4. 
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5.2.1.6 Modes Test for the Encryption Process - CBC Mode 


MO VS; Initialize KEYq, IV, PTq 
S end KEYo, IV, PTo 

lUT; FOR i= 0 TO 399 
{ 

If(i==0)CVo = IV 
Record i, KEY,, CVq, PTq 
FOR j = OTO 9,999 
{ 

IBj = PTj ® CVj 

Perform algorithm in encrypt state, resulting in CTj 
IFj=0 

PTh, = CVo 
ELSE 

PTj,,=CTi., 

CVj.i=CTj 

} 

Record CTj 

Send i, KEY,, CVq, PTq, CT^ 

KEYj^., = KEY) ® last n bits of CT, where «=64 if DES, «=80 if Skipjack 

PTfl = CTjjjg 

CVo = CT„„ 

} 


Figure 5.18 The Modes Test for the Encryption Process - CBC Mode 

As summarized in Figure 5.18, the Modes test for the CBC Encryption Process shall be 
performed as follows: 

1. The MOVS shall: 

a. Initialize the KEY, initialization vector IV and plaintext PT variables. The PT and 
IV shall consist of 64 bits each. The KEY length shall be dependent on the 
algorithm implemented by the lUT. 

b. Eorward these values to the lUT using Input Type 2. 


2. The lUT shall perform the following for i = 0 through 399: 

a. If i=0 (if this is the first time through this loop), set the chaining value CVq equal 
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to the IV. 


b. Record the current value of the outer loop number i, KEY;, CVq and PTq. 

c. For j = 0 through 9999, perform the following: 

i. Set the input block IBj equal to the value of PTj exclusive-ORed with the 
CVj, i.e., (IBlj, IB2j, ...,IB64j) = (PTljeCVlj, PT2jeCV2j, 

PT64jeCV64j). 

ii. Process IBj through the DBS or Skipjack algorithm in the encrypt state, 
resulting in CTj. 

hi. Prepare for loop j-tl by doing the following: 

Assign CVj+i with the current value of CTj, i.e., (CVIj+j, CV2j^i, ..., 
CV64j,,) = (CTlj, CT2j,..., CT64j). 

If the inner loop being processed is the first loop, i.e., j = 0, assign 
PTj+i with the current value of CVq, i.e., (PTlj, PT2i,..., PT64i) = 
(CVIq, CV2o, ..., CV64o). Otherwise, assign PTj^i with the CT 
from the previous inner cycle, CTj_j, i.e., (PTlj^i, PT2j^i,...,PT64j^i) 
= (CTlj.„ CT2j.„...CT64j.,). 

d. Record the CTj. 

e. Output all recorded information from this loop, as specified in Output Type 2, to 
the MO VS. 

f. Assign a new value to the KEY in preparation for the next outer loop. The new 
KEY shall be calculated by exclusive-ORing the current KEY with the current CT. 
For lUTs of the DBS algorithm, this shall equate to (KEYli+j, KEY2i+i, ... 
KEY64,^i) = (KEYlieCTl 9999 , KEYl^eCTl ^^^^,... KEYbdieCTbd,,,,). 

For lUTs of the Skipjack algorithm, CT shall be expanded in length to 80 bits (the 
length of a Skipjack key) before the new KEY can be formed. This expansion 
shall be accomplished by concatenating the 16 rightmost bits of the previous CT 
(CTgggg) with thc 64 bits of the current CT (CT 9999 ). This value shall then be 
exclusive-ORed with the current KEY to form the new KEY, i.e., (KEYli^.i, 
KEY 2 i^i,... KEYSOi^i) = (KEYlieCT49„98, KEY2ieCT509„8,... 
KEY16ieCT64555g, KEYlV.eCTl,,^, ... KEYSOieCTbd,,,,). 

g. Assign a new value to CV,, in preparation for the next outer loop. CVg shall be 
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assigned the value of the current CT, i.e., (CVIq, CV2o, CV64o) = (CTI 9999 , 
CTlgggg, CTddgggg).(Notc thut thc Hcw CV shull bc dcuoted as CV^ because this 
value is used for the first pass through the inner loop when j= 0 .) 

h. Assign a new value to the PT in preparation of the next outer loop. PTq shall be 

assigned the value of the CT from the previous cycle, i.e., (PTIq, PT2o,...,PT64o) = 
(CTlgggg, CT2... ,CT6A. (Notc thut thc ucw PT shull be denoted as PTg 
because this value is used for the first pass through the inner loop when j= 0 .) 

NOTE: The output from the lUT for this test shall consist of 400 output strings. Each 
output string shall consist of information included in Output Type 2. 

3. The MO VS shall check the lUT's output for correctness by comparing the received results 
to known values. 
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5.2.2 Decryption Process 

The process of validating an lUT for the CBC mode of the DBS algorithm which implements the 
decryption process shall involve the successful completion of the following six tests: 

1. The Variable Ciphertext Known Answer Test - CBC mode 

2. The Initial Permutation Known Answer Test - CBC mode 

3. The Variable Key Known Answer Test for the Decryption Process - CBC mode 

4. The Permutation Operation Known Answer Test for the Decryption Process - CBC 
mode 

5. The Substitution Table Known Answer Test for the Decryption Process - CBC mode 

6. The Modes Test for the Decryption Process - CBC mode 

The validation process for an lUT of the Skipjack algorithm using the CBC mode of operation in 
the decryption process shall require the successful completion of tests 1, 2, 3, and 6 only. 

An explanation of the tests follows. 
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5.2.2.1 The Variable Ciphertext Known Answer Test - CBC Mode 


MO VS; If encryption is supported by the lUT; 

Initialize KEY; If DES, KEY = OIOIOIOIOIOIOIOI (odd parity set) 

If Skipjack, KEY=00000000000000000000 
IV = 0000000000000000 
Send KEY, IV 

If encryption is not supported by the lUT; 

Initialize KEY; If DES, KEY=0I0I0I0I0I0I0I0I (odd parity set) 

If Skipjack, KEY=00000000000000000000 
IV = 0000000000000000 

CTj (where i=I-64); If DES, CT values in Appendix B, Table 1 

If Skipjack, CT values in Appendix B, Table 5 
Send KEY, IV, 64, CT„ CT 2 ,...,CT 64 

lUT; If encryption is supported; 

Initialize CTi= first value from output of Variable Plaintext Known Answer test. 

Otherwise, use the first value received from the MO VS. 

FOR i = 1 to 64 

{ 

IBi = CT 

Perform algorithm in decrypt state, resulting in OBj 

PT, = OB, ® IV 

Send i, KEY, IV, CT,, PT, 

If encryption is supported; 

CTj^., = corresponding CTj^., from output of Variable Plaintext Known Answer test 

else 

CTj^.! = corresponding CTj^., value from MO VS 

} 

MO VS; Compare results from each loop with known answers 


Figure 5.19 The Variable Ciphertext Known Answer Test - CBC Mode 


As summarized in Figure 5.19, the Variable Ciphertext Known Answer test for the CBC mode of 
operation shall be performed as follows: 
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1 . 


The MOVS shall: 


a. Initialize the KEY parameter to the constant hexadecimal value 0. For lUTs of the 
DES algorithm, KEY,,g,; = 01 01 01 01 01 01 01 01. Note that the significant bits 
are set to "0" and the parity bits are set to "1" to make odd parity. For Skipjack 
implementations, the KEY^^,^ = 00 00 00 00 00 00 00 00 00 00. 

b. Initialize the initialization vector IV to the constant hexadecimal value 0, i.e., 

= 00 00 00 00 00 00 00 00 . 

c. If the lUT is of the DES algorithm, and it does not support encryption, initiali z e 
the 64 ciphertext CT values with the 64 constant CT values from Appendix B, 
Table 1. If the lUT is of the Skipjack algorithm, and it does not support 
encryption, initialize the 64 ciphertext CT values with the 64 constant values from 
Appendix B, Table 5. 

d. If encryption is supported by the lUT, forward the KEY and IV to the lUT, as 
specified in Input Type 6. If encryption is not supported by the lUT, forward the 
KEY, IV and CT to the lUT, as specified in Input Type 5. 


2. The lUT shall: 

a. If encryption is supported, initialize the CT value with the first CT value retained 
from the Variable Plaintext Known Answer test for the CBC Mode (Section 
5.2.1.1). Otherwise, use the first value received from the MOVS. 

b. Perform the following for i=l through 64: 

i. Set the input block IB; equal to the value of CTj, i.e., (IBli,IB2i,...,IB64i) = 
(CT1„CT2„...,CT64,). 

ii. Process IB; through the DES or Skipjack algorithm in the decrypt state, 
resulting in the output block OB,. 

hi. Calculate the plaintext PT^ by exclusive-ORing OB; with IV, i.e., (PTlj, 
PT2„...,PT64,) = (OBl,eIVl, OB2ieIV2,...,OB64,eIV64). 

iv. Forward the current value of the loop number i, KEY, IV, CTj, and the 
resulting PT; to the MOVS using Output Type 2. 

V. If encryption is supported, set CTj^.! equal to the corresponding output 
from the Variable Plaintext Known Answer test for CBC mode. If 
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encryption is not supported, assign a new value to by setting it equal 
to the corresponding value supplied by the MO VS. 

NOTE: The output from the lUT for this test shall consist of 64 output strings. Each 
output string shall consist of information included in Output Type 2. 

3. The MO VS shall check the lUT's output for correctness by comparing the received results 
to known values. 
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5.22.2 The Initial Permutation Known Answer Test - CBC Mode 


MO VS; Initialize KEY: If DES, KEY = 0101010101010101 (odd parity set) 

If Skipjack, KEY=00000000000000000000 
IV = 0000000000000000 

CTj (where i=l-64); 64 PT values from Variable Ciphertext Known 
Answer test 

Send KEY, IV, 64, CT„ CT 2 ,...,CT 64 

lUT; Initialize CT,= first value from output of Variable Ciphertext Known Answer test. 

FOR i = 1 to 64 
{ 

IB; = CT, 

Perform algorithm in decrypt state, resulting in OB; 

PT, = OB, ® IV 

Send i, KEY, IV, CT„ PT, 

CTj^., = corresponding CTj^.; value from MO VS 

} 

MO VS; Compare results from each loop with known answers. For DES, use Appendix B, Table 1, For 
Skipjack, use Appendix B, Table 5. 


Figure 5.20 The Initial Permutation Known Answer Test - CBC Mode 


As summarized in Figure 5.20, the Initial Permutation Known Answer test for the CBC mode of 
operation shall be performed as follows: 

1. The MOVS shall: 

a. Initialize the KEY parameter to the constant hexadecimal value 0. For lUTs of the 
DES algorithm, KEY,,g,; = 01 01 01 01 01 01 01 01. Note that the significant bits 
are set to "0" and the parity bits are set to "1" to make odd parity. For Skipjack 
implementations, the KEY^^,; = 00 00 00 00 00 00 00 00 00 00. 

b. Initialize the initialization vector IV to the constant hexadecimal value 0, i.e., IV,,g,^ 
= 00 00 00 00 00 00 00 00 . 

c. Initialize the 64 CT values with the 64 PT values obtained from the Variable 
Ciphertext Known Answer test. 
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d. Forward the KEY, IV and the 64 CT values to the lUT, as specified in Input Type 
5. 


2. The lUT shall perform the following for i=l through 64: 

a. Set the input block IB; equal to the value of CTj, i.e., (IBli,IB2i,...,IB64i) = 

(CTli,CT2„...,CT64,). 

b. Process IB; through the DES or Skipjack algorithm in the decrypt state, resulting 
in the output block OBj. 

c. Calculate the plaintext PT, by exclusive-ORing OB; with IV, i.e., (PTlj, 
PT2„...,PT64,) = (OBljelVl, OB2ieIV2,...,OB64ieIV64). 

d. Eorward the current value of the loop number i, KEY, IV, CTj, and the resulting 
PT, to the MOVS using Output Type 2. 

e. Set CTj^.! equal to the corresponding CTj^.! value supplied by the MOVS. 

NOTE: The output from the lUT for this test shall consist of 64 output strings. Each 
output string shall consist of information included in Output Type 2. 

3. The MOVS shall check the lUT's output for correctness by comparing the received results 
to known values. 
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5.2.2.3 The Variable Key Known Answer Test for the Decryption Process - CBC Mode 


MO VS; Initialize KEY; If DES, KEYj = 8001010101010101 (odd parity set) 

If Skipjack, KEY, = 80000000000000000000 
IV=0000000000000000 
If encryption is supported by the lUT; 

Send KEY,, IV 

If encryption is not supported by the lUT; 

Initialize CT values; If DES, initialize CT values with values in Appendix B, Table 2 
If Skipjack, initialize CT values with values in Appendix B, 
Table 6. 

Send KEY,, IV, n (where «=64 if DES, 80 if Skipjack), CT„ CTj,..., CT„ 

lUT; If encryption is supported by the lUT; 

Initialize CT, = first value from output of Variable Key Known Answer test for the 
Encryption Process for the CBC Mode. 

Otherwise, use the first value received from the MO VS. 

EOR i = 1 to «, where « = 56 if DES, 80 if Skipjack 

{ 

IE (algorithm == SKIPJACK) {process every bit} 

OR 

(algorithm == DES AND i %8 != 0) 

(process every bit except parity bits} 

{ 

IB, = CT, 

Perform algorithm in decrypt state, resulting in OB, 

PT, = OB, ® IV 

Send i, KEY,, IV, CT„ PT, 

KEY,,., = vector consisting of "0" in every significant bit position except 

for a single "1" bit in the i+P‘ position. Note that odd parity is set. 
If encryption is supported by the lUT; 

CT,,., = corresponding CT,,., from output of Variable Key Known 
Answer test for the Encryption Process for CBC Mode 

else 

CT,,., = corresponding CT,,., value from MO VS 

I 

} 

MO VS; Compare results of the n decryptions with known answers 


Figure 5.21 The Variable Key Known Answer Test for the Decryption Process - CBC 
Mode 

Figure 5.21 illustrates the Variable Key Known Answer test for the CBC Decryption Process. 
1. The MOVS shall: 
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a. Initialize KEY; to contain "0" in every significant bit except for a "1" in the first 
position. (Note that odd parity is set on the KEY.) For example, if validating an 
lUT of the DES algorithm, the 64 bit KEY; = 10000000 00000001 00000001 
00000001 00000001 00000001 00000001 00000001. The equivalent of this value 
in hexadecimal notation is 80 01 01 01 01 01 01 01. 

If validating an lUT of the Skipjack algorithm, the 80 bit KEY; = 10000000 
00000000 00000000 00000000 00000000 00000000 00000000 00000000 
00000000 00000000. The equivalent of this value in hexadecimal notation is 80 
00 00 00 00 00 00 00 00 00 . 

b. Initialize IV to contain the value of zero, i.e., IV^^,; = 00 00 00 00 00 00 00 00. 

c. If the lUT is of the DES algorithm, and encryption is not supported, initialize CT; 
values with the 56 constant CT values from Appendix B, Table 2. Otherwise, if 
the lUT is of the Skipjack algorithm, and encryption is not supported, initialize the 
CT; values with the 80 constant CT values from Appendix B, Table 6. 

d. If encryption is not supported by the lUT, forward the KEY, IV, and the multiple 
CT values to the lUT, as specified in Input Type 5. Otherwise, forward the KEY 
and IV to the lUT, as specified in Input Type 6. 


2. The lUT shall: 

a. If encryption is supported, initialize the CT value with the first CT value retained 

from the Variable Key Known Answer test for the Encryption Process for the CBC 

Mode (Section 5.2.1.3). Otherwise, use the first value received from the MOVS. 

b. Perform the following for i=l to n, where n = 56 for DES or 80 for Skipjack: 

i. Set the input block IB; equal to the value of CTj, i.e., (IBlj, IB2i,..., IBbdj) 

= (CTlj, CT2.,...,CT64,). 

ii. Process IB; through the DES or Skipjack algorithm in the decrypt state, 
resulting in output block OBj. 

hi. Calculate the plaintext PT, by exclusive-ORing OB; with IV, i.e., (PTlj, 
PT2.,...,PT64,) = (OBl.elVl, OB2ieIV2,...,OB64,eIV64). 

iv. Forward the current values of the loop number i, KEY;, IV, CT; and the 
resulting PT; to the MOVS using Output Type 2. 
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V. Set KEYi ^.1 equal to the vector consisting of "0" in every significant bit 

position except for a single "1" bit in the i+P‘ position. The parity bits are 
set for odd parity. 

vi. If encryption is supported, set equal to the corresponding value 
retained from the Variable Key Known Answer test for the Encryption 
Process for CBC mode. If encryption is not supported by the lUT, set 
equal to the corresponding value supplied by the MO VS. 

NOTE: The output from the lUT for this test shall consist of 56 output strings if DES is 
being implemented, or 80 output strings if Skipjack is implemented. Each output string 
shall consist of information included in Output Type 2. 

3. The MO VS shall check the lUT's output for correctness by comparing the received results 
to known values. 
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5.2.2.4 Permutation Operation Known Answer Test for Decryption Process - CBC Mode 


NOTE: This test shall only be performed for lUTs of the DES algorithm. 


MOVS; Initialize KEYj (where i=l-32) = KEY values in Appendix B, Table 3 

IV = 0000000000000000 
If encryption is supported by the lUT; 

Send IV,32, KEY,, KEY 2 ,...,KEY 32 
If encryption not supported by the lUT: 

Initialize CT, (where i=l-32) = corresponding CT values in Table 3 
Send IV,32, KEY,, CT„ KEY 2 , CT 2 ,...,KEY 32 , CT 32 

lUT; If encryption is supported by the lUT; 

Initialize CT, = first value retained from Permutation Operation Known Answer test for the 
Encryption Process for the CBC Mode. 

Otherwise, use the first value received from the MOVS. 

FOR i = 1 to 32 

{ 

IB, = CT, 

Perform DES algorithm in decrypt state using KEY,, resulting in OB, 

PT, = OB, ® IV 

Send i, KEY,, IV, CT,, PT, 

KEY,,., = corresponding KEY supplied by MOVS 
If encryption is supported; 

CT,.,., = corresponding CT,.,., from output of Permutation Operation Known Answer 
test for the Encryption Process for the CBC mode 

else 

CT,.,., = corresponding CT,.,., from MOVS 

} 

MOVS; Compare results from each loop with known answers 


Figure 5.22 The Permutation Operation Known Answer Test for the Decryption Process - 
CBC Mode 


As summarized in Figure 5.22, the Permutation Operation Known Answer test for the CBC 
Decryption Process shall be performed as follows: 

1. The MOVS shall: 

a. If the lUT supports encryption, initialize the KEY values with the 32 constant 
KEY values supplied from Appendix B, Table 3. If the lUT does not support 
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encryption, initialize the KEY-ciphertext (KEY-CT) pairs with the 32 constant 
KEY-CT pairs from Table 3. 

b. Initialize IV to contain the value of zero, i.e., IV^^,; = 00 00 00 00 00 00 00 00. 

c. If encryption is supported by the lUT, forward the KEY and IV, as specified in 
Input Type 12. Eorward the KEY, CT, and IV to the lUT using Input Type 11 if 
encryption is not supported by the lUT. 


2. The lUT shall: 

a. If encryption is supported, initialize the CT value with the first CT value retained 
from the Permutation Operation Known Answer test for the Encryption Process 
for the CBC Mode (Section 5.2.1.4). Otherwise, use the first value received from 
the MOVS. 

b. Perform the following for i = 1 to 32: 

i. Set the input block IB; equal to the value of CTj, i.e, (IBIi,IB2i,...IB64i) = 
(CTI„CT2„...,CT64,). 

ii. Using the corresponding KEY;, process IB; through the DES algorithm in 
the decrypt state, resulting in OB^. 

hi. Calculate PT^ by exclusive-ORing OB; with IV, i.e., (PTIj, PT2i,...,PT64i) = 
(OB I jelV I, OB2,eIV2,... ,OB64ieIV64). 

iv. Eorward the current values of the loop number i, KEY;, IV, CT; and the 
resulting PT; to the MOVS using Output Type 2. 

V. Set KEYi ^.1 equal to the i+E‘ value supplied by the MOVS. 

vi. If encryption is supported, set CTj^.! equal to the corresponding CTj^.! value 
retained from the Permutation Operation Known Answer test for the 
Encryption Process for CBC Mode. If encryption is not supported, set 
CTj^i equal to the corresponding CTj^.! value supplied by the MOVS. 

NOTE: The above processing shall continue until all 32 KEY-CT values, as 
specified in Input Type II, or all 32 KEY values, as specified in Input Type 12 are 
processed. The output from the lUT for this test shall consist of 32 output strings. 
Each output string shall consist of information contained in Output Type 2. 
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The MO VS shall check the lUT's output for correctness by comparing the received results 
to known values. 



5.2.2.5 Substitution Table Known Answer Test for the Decryption Process - CBC Mode 


NOTE: This test shall only be performed for lUTs of the DES algorithm. 


MO VS; Initialize; KEY; (where i=l-19)= KEY values in Appendix B, Table 4 

IV = 0000000000000000 
If encryption is supported by the lUT; 

Send IV, 19, KEY), KEY 2 ,...,KEYi 5 
If encryption not supported; 

Initialize CT| (where i=l-19)= CT values in Table 4 
Send IV, 19, KEY;, CT„ KEY^, CT 2 ,...,KEY,„ CT„ 

lUT; If encryption is supported; 

Initialize CTj = first CT value from output of Substitution Table Known Answer test for the 
Encryption Process for the CBC Mode. 

Otherwise, use the first value received from the MO VS. 

FOR i = 1 to 19 

{ 

IB, = CT, 

Perform DES algorithm in decrypt state using KEYj, resulting in OBj 

PTi=OB, ® IV 

Send i, KEY,, IV, CT„ PT, 

KEYi^., = corresponding KEY supplied by MO VS 
If encryption is supported; 

CTj^.; = corresponding CT from output of Substitution Table Known Answer test 
for the Encryption Process for the CBC mode 

else 

CTj^.! = corresponding CT from MO VS 

} 

MO VS; Compare results from each loop with known answers 


Figure 5.23 The Substitution Table Known Answer Test for the Decryption Process - CBC 
Mode 


Figure 5.23 illustrates the Substitution Table Known Answer test for the CBC Decryption 
Process. 

1. The MOVS shall: 

a. If the lUT supports encryption, initialize the KEY values with the 19 constant 
KEY values supplied from Appendix B, Table 4. If the lUT does not support 
encryption, initialize the KEY-ciphertext (KEY-CT) pairs with 19 constant KEY- 
CT pairs from Appendix B, Table 4. 

b. Initialize IV to contain the value of zero, i.e., IV^^,; = 00 00 00 00 00 00 00 00. 
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c. If encryption is supported by the lUT, forward the IV and the 19 KEY values, as 
specified in Input Type 12. Otherwise, forward the IV and the 19 KEY-CT pairs 
to the lUT, as specified in Input Type 11. 


2. The lUT shall: 

a. If encryption is supported, initialize the CT value with the first CT value retained 
from the Substitution Table Known Answer test for the Encryption Process for the 
CBC Mode (Section 5.2.1.5). Otherwise, use the first CT value received from the 
MO VS. 

b. Perform the following for i = 1 to 19: 

i. Set the input block IB; equal to the value of CTj, i.e, (IBli,IB2i,...IB64i) = 
(CTli,CT2„...,CT64i). 

ii. Using the corresponding KEY;, process IB; through the DES algorithm in 
the decrypt state, resulting in the output block OB,. 

hi. Calculate PT, by exclusive-ORing OB; with IV, i.e., (PTlj, PT2i,...,PT64i) = 
(OBljelVl, OB2ieIV2, ...,OB64ieIV64). 

iv. Eorward the current values of the loop number i, KEY;, IV, CT; and the 
resulting PT^ to the MOVS as specified in Output Type 2. 

V. Set KEYi ^.1 equal to i+E‘ value supplied by MOVS. 

vi. If encryption is supported, set CTj^.! equal to the corresponding CTj^.! value 
retained from the Substitution Table Known Answer test for the 
Encryption Process for the CBC Mode. If encryption is not supported, set 
CTj^,! equal to the corresponding CTj^.! value supplied by the MOVS. 

NOTE: The above processing shall continue until the IV and all 19 KEY-CT pairs, as 
specified in Input Type 11, or the IV and all 19 KEY values, as specified in Input Type 12, 
are processed. The output from the lUT for this test shall consist of 19 output strings. 
Each output string shall consist of information included in Output Type 2. 


3. The MOVS shall check the lUT's output for correctness by comparing the received results 
to known values. 
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5.22.6 Modes Test for the Decryption Process - CBC Mode 



lf(i==0) CVo = IVo 
Record i, KEY,, CVo, CTo 
FORj =OTO 9,999 
{ 

IBj = CTj 

Perform algorithm in decrypt state, resulting in OBj 

PTj = OBj © CVj 
CV^„ = CTj 
CT,.i = PTj 

} 


Record PTj 

Send i, KEY,, CVo, CTo, PTj 

KEYj^j = KEY; © last n bits of PT, where n=64 if DES, n=80 if Skipjack 
CVq = CTgggg 



MOVS: Check lUT's output for correctness 


Figure 5.24 The Modes Test for the Decryption Process - CBC Mode 


Figure 5.24 illustrates the Modes test for the CBC Decryption Process. 

1. The MOVS shall: 

a. Initialize KEY, the initialization vector IV and ciphertext CT variables. The CT 
and IV shall consist of 64 bits, while the KEY length shall be dependent on the 
algorithm implemented by the lUT. 

b. Eorward these values to the lUT using Input Type 2. 
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2 . 


The lUT shall perform the following for 1=0 through 399: 


a. If 1=0 (if this is the first time through this loop), set the chaining value CVq equal 
to IV. 

b. Record the current value of the outer loop number i, KEY;, CVq, and CTq. 

c. For j=0 through 9999, perform the following: 

i. Set the input block IBj equal to the value of CTj, i.e., (IBlj, IB2j,..., IB64j) 
= (CTlj, CT2j,..., CT64j). 

ii. Process the IBj through the DBS or Skipjack algorithm in the decrypt state, 
resulting in an output block OBj. 

hi. Form the plaintext PTj by exclusive-ORing OBj with the current CVj, i.e., 
(PTlj, PT2j,...,PT64j) = (OBljeCVlj, OB2jeCV2j,..., OB64jeCV64j). 

iv. Prepare for the j+1 loop by: 

- Assigning CVj^j with the value of the current CTj, i.e., (CVIj+j, 

CV2j,„ ..., CV64j,,) = (CTlj, CT2j,..., CT64j); 

- Assigning CTj+j with the value of the current PTj, i.e., (CTlj+i, 

CT2j,i,..., CT64j,,) = (PTlj, PT2j,...,PT64j). 

d. Record PTj. 

e. Output all the recorded information from this loop using Output Type 2. 

f. Assign a new value to the KEY in preparation for the next outer loop. The new 
KEY shall be calculated by exclusive-ORing the current KEY with the current PT. 
For lUTs of the DBS algorithm, this shall equate to (KEYli^.i, KEY2i^.i, ... 
KEY64,^i) = (KEYliePTlgggg, KEY 2 iePT 29999 ,... KEY6\®VT64,,,,). 

For lUTs of the Skipjack algorithm, the PT shall be expanded in length to 80 bits 
(the length of a Skipjack key) before the new KEY can be formed. This expansion 
shall be accomplished by concatenating the 16 rightmost bits of the previous PT 
(PTgggg) with thc 64 bits of the current PT (PT9999). This value shall then be 
exclusive-ORed with the current KEY to form the new KEY, i.e., (KEYli^.i, 
KEY2i^i,... KEY80i^i) = (KEYliePT499998, KEY2iePT509998,... 

KEY16,ePT64999g, KEYlV.ePTl^^, KEY18iePT29999,... KEY80,ePT649999). 

g. Assign a new value to CV in preparation for the next outer loop. CVq shall be 
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assigned the value of the current CT, i.e., (CVIq, CV2o,...,CV64o) = (CTI 9999 , 
CT 29999 ,...,CT 649999 ). (Notc that the new CV shall be denoted as CV^ to be used 
for the first pass through the inner loop when j= 0 .) 

h. Assign a new value to CT in preparation for the next outer loop. CTq shall be 
assigned the value of the current PT, i.e., (CTlg, CT2o,...,CT64o) = (PTI 9999 , 
PT 29999 ,...,PT 649999 ). (Notc that the new CT shall be denoted as CT,, to be used 
for the first pass through the inner loop when j= 0 .) 

NOTE: The output from the lUT for this test shall consist of 400 output strings 
consisting of information included in Output Type 2. 

The MO VS shall check the lUT's output for correctness by comparing the received results 
to known values. 



5.3 The Cipher Feedback (CFB) Mode 


The lUTs of the DBS or Skipjack algorithm in the Cipher Feedback (CFB) mode of operation 
shall be validated by successfully completing (1) a set of Known Answer tests applicable to both 
lUTs supporting encryption and/or decryption and (2) a Modes test for each cryptographic 
process supported by the lUT. 

The process of validating an lUT of the DBS algorithm which supports the encryption and/or 
decryption processes of the K-bit CFB mode shall involve the successful completion of the 
following six tests: 

1. The Variable Text Known Answer Test - K-bit CFB mode 

2. The Inverse Permutation Known Answer Test - K-bit CFB mode 

3. The Variable Key Known Answer Test - K-bit CFB mode 

4. The Permutation Operation Known Answer Test - K-bit CFB mode 

5. The Substitution Table Known Answer Test - K-bit CFB mode 

6. The Modes Test for the Encryption Process - K-bit CFB mode (if encryption is 
supported) 

OR 

The Modes Test for the Decryption Process - K-bit CFB mode (if decryption is 
supported) 

Note, for lUTs of the DES algorithm, K can range from 1 to 64 bits. 

The validation process for an lUT of the Skipjack algorithm which supports the encryption and/or 
decryption process of the 64-bit CFB mode of operation shall involve the successful completion 
of tests 1, 2, 3, and 6 only. 

An explanation of the tests follows. 


5.3.1 The Known Answer Tests - CFB Mode 

The K-bit CFB mode shall only have one set of Known Answer tests which shall be used 
regardless of supported process, i.e., the same set of Known Answer tests shall be used for lUTs 
supporting the encryption and/or decryption processes. 

Throughout this section, TEXT and RESUFT will refer to different variables depending on 
whether the encryption or decryption process is being tested. If the lUT performs CFB 
encryption, TEXT refers to plaintext, and RESUFT refers to ciphertext. If the lUT performs 
CFB decryption, TEXT refers to ciphertext, and RESUFT refers to plaintext. 
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5.3.1.1 The Variable Text Known Answer Test - CFB Mode 


NOTE: If Skipjack, K shall equal 64. 

MO VS: Initialize KEY: If DES, KEY = OlOIOIOIOlOIOIOl (odd parity set) 

If Skipjack, KEY = 00000000000000000000 
IV; = 8000000000000000 
K-bit TEXT = 0 

Send KEY, IV;, K-bit TEXT 

lUT: EOR i = I to 64 

{ 

IB. = IV, 

Perform algorithm in encrypt state, resulting in OB; 

K-bit RESULT,= LM''(OB,)© K-bit TEXT 
Send i, KEY, IV,, K-bit TEXT, K-bit RESULT, 

IV;,.! = basis vector where single "I" bit is in position i+I 


MO VS: Compare RESULT from each loop with known answers 

If DES, use K bits of output in Appendix B, Table 1. If Skipjack, use 64 bits of output in Appendix 
B, Table 5. 


Figure 5.25 The Variable Text Known Answer Test - CFB Mode 


As summarized in Figure 5.25, the Variable Text Known Answer test for the CFB mode shall be 
performed as follows (Note, in the following text, if the lUT is of the Skipjack algorithm, K shall 
equal 64.): 

1. The MOVS shall: 

a. Initialize the KEY parameter to the constant hexadecimal value 0. For lUTs of the 
DES algorithm, the KEY = 01 01 01 01 01 01 01 01. Note that the significant bits 
are set to "0" and the parity bits are set to "1" to make odd parity. 

Eor lUTs of the Skipjack algorithm, the KEY = 00 00 00 00 00 00 00 00 00 00. 

b. Initialize the 64 bit initialization vector IVj to the basis vector containing a "1" in 
the first bit position and "0" in the following 63 positions, i.e., IV; = 10000000 
00000000 00000000 00000000 00000000 00000000 00000000 00000000. The 
equivalent of this value in hexadecimal notation is 80 00 00 00 00 00 00 00. 
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c. Initialize the K-bit TEXT parameter to the constant hexadecimal value 0, where K 
= 1 ... 64 for DES and K = 64 for Skipjack. 

d. Eorward this information to the lUT using Input Type 2. 


2. The lUT shall perform the following for i = 1 through 64: 

a. Assign the value of the initialization vector IV; to the input block IB;, i.e., (IBlj, 
IB2,..., IB64i) = (IVl, IV2,..., IY6\). 

b. Process IB; through the DES or Skipjack algorithm in the encrypt state, resulting 
in a 64-bit output block OB;. 

c. Calculate the K-bit RESUET; by exclusive-ORing the leftmost K-bits of OB, with 
the K-bit TEXT, i.e., (RESUETl^, RESUET2,,..., RESUETK;) = (OBljeTEXTl, 
OB2ieTEXT2,...,OBKieTEXTK). 

d. Eorward the current values of the loop number i, KEY, IVj, K-bit TEXT and K-bit 
RESUET; to the MOVS, as specified in Output Type 2. 

e. Assign a new value to IVi^.i by setting it equal to the value of a basis vector with a 
"1" bit in position i-i-1 , where i=1...64. 

NOTE: This processing continues until every possible basis vector has been represented 
by the IV, i.e., 64 times. The output from the lUT shall consist of 64 output strings. 

Each output string shall consist of information included in Output Type 2. 

3. The MOVS shall check the lUT's output for correctness by comparing the received results 
to known values found in Appendix B, Table 1 for DES or Table 5 for Skipjack. Eor 
lUTs of DES where K is less than 64, the leftmost K bits of output for each CT value in 
Table 1 shall be used. 
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5.3.1.2 The Inverse Permutation Known Answer Test - CFB Mode 


NOTE: If Skipjack, K shall equal 64. 

MO VS: Initialize KEY: If DES, KEY = OlOIOIOIOlOIOIOl (odd parity set) 

If Skipjack, KEY = 00000000000000000000 

IVi = 8000000000000000 

K-bit TEXT; (where i=l-64) = 64 CT values from the Variable Text Known Answer 
test 

Send KEY, IV;, 64, K-bit TEXTi ... TEXT ,4 

lUT: FOR i = 1 to 64 

{ 

IB, = IV. 

Perform algorithm in encrypt state, resulting in OB; 

K-bit RESULT,= LM‘'(OB,)© K-bit TEXT 
Send i, KEY, IV,, K-bit TEXT, K-bit RESULT, 

IV;,.j = basis vector where single " 1 " bit is in position i +1 

K-bit TEXT; 4 j= corresponding K-bit RESULT value from the Variable Text Known Anwer 
test 


MO VS: Compare RESULT from each loop with known answers 
The RESULTS should be all zeros. 


Figure 5.26 The Inverse Permutation Known Answer Test - CFB Mode 


As summarized in Figure 5.26, the Inverse Permutation Known Answer test for the CFB mode 
shall be performed as follows (Note, in the following text, if the lUT is of the Skipjack algorithm, 
K shall equal 64.): 

1. The MOVS shall: 

a. Initialize the KEY parameter to the constant hexadecimal value 0. For lUTs of the 
DES algorithm, the KEY = 01 01 01 01 01 01 01 01. Note that the significant bits 
are set to "0" and the parity bits are set to "1" to make odd parity. 

Eor lUTs of the Skipjack algorithm, the KEY = 00 00 00 00 00 00 00 00 00 00. 

b. Initialize the 64 bit initialization vector IVj to the basis vector containing a "1" in 
the first bit position and "0" in the following 63 positions, i.e., IVj = 10000000 
00000000 00000000 00000000 00000000 00000000 00000000 00000000. The 
equivalent of this value in hexadecimal notation is 80 00 00 00 00 00 00 00. 
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c. Initialize the K-bit TEXT; (where i=l-64) to the RESULT; obtained from the 
Variable Text Known Answer test. 

d. Eorward this information to the lUT using Input Type 5. 


2. The lUT shall perform the following for i = 1 through 64: 

a. Assign the value of the initialization vector IV; to the input block IB;, i.e., (IBlj, 
IB2;,..., IB64;) = (IVl;, IV2;,..., IV64;). 

b. Process IB; through the DBS or Skipjack algorithm in the encrypt state, resulting 
in a 64-bit output block OB;. 

c. Calculate the K-bit RESULT; by exclusive-ORing the leftmost K-bits of OB, with 
the K-bit TEXT, i.e., (RESULTl;, RESULT2,,..., RESULTK;) = (OBl;eTEXTl, 
OB2;eTEXT2,...,OBK;eTEXTK). 

d. Eorward the current values of the loop number i, KEY, IV;, K-bit TEXT and K-bit 
RESULT; to the MOVS, as specified in Output Type 2. 

e. Assign a new value to IV;^.; by setting it equal to the value of a basis vector with a 
"1" bit in position i-i-1 , where i=1...64. 

f. Assign a new value to the K-bit TEXT;^; by setting it equal to the corresponding 
output from the Variable Text Known Answer test for the CEB mode. 

NOTE: This processing continues until all ciphertext values from the Variable Text 

Known Answer test have been used as input. The output from the lUT shall consist of 64 

output strings. Each output string shall consist of information included in Output Type 2. 

3. The MOVS shall check the lUT's output for correctness by comparing the received results 

to known values. The RESULT values should be all zeros. 


95 



5.3.1.3 The Variable Key Known Answer Test - CFB Mode 


NOTE: If Skipjack, K shall equal 64. 

MO VS; Initialize KEY; If DES, KEY; = 800I0I0I0I0I0I0I (odd parity set) 

If Skipjack, KEY, = 80000000000000000000 
IV =0000000000000000 
K-bit TEXT = 0 

Send KEY, IV, K-bit TEXT 

lUT; EOR i = I to «, where « = 64 if DES, 80 if Skipjack 

{ 

IE (algorithm == Skipjack) {process all bits} 

OR 

(algorithm == DES AND i %8 != 0) 

(process all bits except parity bits} 

{ 

IB, = IV 

Perform algorithm in encrypt state using KEY,, resulting in OB, 

K-bit RESULT,= leftmost K bits of OB, denoted LM'^(OB,) ® K-bit TEXT 
Send i, KEY,, IV, K-bit TEXT, K-bit RESULT, 

KEY;,., = vector consisting of "0" in every significant bit position except for a 
single "1" bit in position i-tl. Each parity bit may have the value "1" or "0" to make 
the KEY odd parity. 

I 
I 

MO VS; Compare results of the n encryptions with known answers 

If DES, use K bits of the results in Appendix B, Table 2. If Skipjack, use 64 bits of the results in 
Appendix B, Table 6. 

Figure 5.27 The Variable Key Known Answer Test - CFB Mode 


Figure 5.27 illustrates the Variable Key Known Answer test for the CFB Mode. (Note, if the lUT 
is of the Skipjack algorithm, K shall equal 64.) 

1. The MOVS shall: 

a. Initialize KEY, to contain a "0" in every significant bit except for a "1" in the first 
position. For example, if validating an lUT of the DES algorithm, the 64 bit KEY, 

bi„= 10000000 00000001 00000001 00000001 00000001 00000001 00000001 

00000001. The equivalent of this value in hexadecimal notation is 80 01 01 01 01 
01 01 01. Note that the parity bits are set to "0" or "1" to get odd parity. 
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If validating an lUT of the Skipjack algorithm, the 80-bit KEY; = 10000000 
00000000 00000000 00000000 00000000 00000000 00000000 00000000 
00000000 00000000. The equivalent of this value in hexadecimal notation is 80 
00 00 00 00 00 00 00 00 00 . 

b. Initialize the 64-bit initialization vector IV to the value of 0, i.e., IV,,g,^= 00 00 00 
00 00 00 00 00 . 

c. Initialize the K-bit TEXT to the value of 0. It shall be represented as K binary bits, 
where K=1...64 for DES and K=1...80 for Skipjack, i.e., TEXTbjn=0i02...0K. This 
shall then be translated into hexadecimal. 

d. Eorward this information to the lUT using Input Type 2. 


2. The lUT shall perform the following for i = 1 to n: (NOTE: n equals the number of 
significant bits in a DES or Skipjack key.) 

a. Assign the value of the IV to IBj, i.e., (IBlj, IB2i,..., IB64i) = (IVl, IV2,..., IV64). 

b. Using the corresponding KEY, process IB, through the DES or Skipjack algorithm 
in the encrypt state resulting in OBj. 

c. Calculate the K-bit RESUET, by exclusive-ORing the leftmost K-bits of OBj, 
denoted EM’^COB,), with the K-bit TEXT, i.e.,(RESUETIj, RESUET2,,..., 
RESUETKj) = (OBljeTEXTl, OB2ieTEXT2,...,OBKieTEXTK). 

d. Eorward the current value of the loop number i, KEY;, IV, K-bit TEXT and K-bit 
RESUET; to the MOVS, as specified in Output Type 2. 

e. Set KEYi ^.1 equal to the vector consisting of "0" in every significant bit position 
except for a single "1" bit in position i-i-1. The parity bits contain "1" or "0" to 
make odd parity. 

NOTE: The above processing shall continue until every significant basis vector has been 
represented by the KEY parameter. The output from the lUT for this test shall consist of 
56 output strings if the lUT implements the DES algorithm, and 80 output strings if the 
lUT implements the Skipjack algorithm. Each output string shall consist of information 
included in Output Type 2. 


3. The MOVS shall check the lUT's output for correctness by comparing received results to 
known values found in Appendix B, Table 2 for DES or Table 6 for Skipjack. Eor lUTs 
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of DES where K is less than 64, the leftmost K bits of output for each CT in Table 2 shall 
be used. 
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5.3.1.4 The Permutation Operation Known Answer Test - CFB Mode 

NOTE: This test shall only be performed for the DES algorithm. 


MOVS; Initialize KEYj (where i =1-32) = 32 KEY values in Appendix B, Table 3 

IV = 0000000000000000 
K-bit TEXT = 0 

Send K-bit TEXT, IV, KEY,, KEY 2 ,...,KEY 32 

lUT; FOR i = 1 to 32 
{ 

IB, = IV 

Perform DES algorithm in encrypt state, resulting in OB, 

K-bit RESULT,= LM'^(OB,) ® K-bit TEXT 
Send i, KEY,, IV, K-bit TEXT, K-bit RESULT, 

KEY,,., = Corresponding KEY,,., from MOVS 


MOVS; Compare results from each loop with known answers 


Figure 5.28 The Permutation Operation Known Answer Test - CFB Mode 


As summarized in Figure 5.28, the Permutation Operation Known Answer test for the CFB mode 
shall be performed as follows: 

1. The MOVS shall: 

a. Initialize the KEY parameter with the 32 constant KEY values from Appendix B, 
Table 3. 

b. Initialize the 64-bit initialization vector IV to the value of 0, i.e., IV,,g,(=00 00 00 00 
00 00 00 00 . 

c. Initialize the K-bit TEXT to the value of 0. The TEXT shall be represented as K 
hexadecimal bits, where K=1...64t,i„or K=1...16,,g„, i.e., TEXT,,g,;=0i02...0|j. 

d. Eorward this information to the lUT using Input Type 8. 


2. The lUT shall perform the following for i = 1 to 32: 
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a. Assign the value of the IV to IBj, i.e., (IBlj, IB2i,..., IB64i) = (IVl, IV2,..., IV64). 

b. Process IB; through the DBS algorithm in the encrypt state, resulting in OB,. 

c. Calculate the K-bit RESULT, by exclusive-ORing the leftmost K-bits of OBj, 
LM'^(OBi), with the K-bit TEXT, i.e.,(RESULTli, RESULT2i,..., RESULTK,) = 
(OB 1 jeTEXT 1, OB2ieTEXT2,... ,OBKieTEXTK). 

d. Eorward the current values of the loop number i, KEY;, IV, K-bit TEXT and K-bit 
RESULT; to the MOVS, as specified in Output Type 2. 

e. Set KEYi ^.1 equal to the corresponding KEY supplied by the MOVS. 

NOTE: The above processing shall continue until all 32 KEY values, as specified in Input 
Type 8, are processed. The output from the lUT for this test shall consist of 32 output 
strings. Each output string shall consist of information included in Output Type 2. 


The MOVS shall check the lUT's output for correctness by comparing the received results 
to known values found in Appendix B, Table 3. 



5.3.1.5 The Substitution Table Known Answer Test - CFB Mode 

NOTE: This test shall only be performed for the DES algorithm. 


MOVS: Initialize KEYi (where i=l-19) = 19 KEY values in Appendix B, Table 4 

IVj (where i=l-19) = 19 corresponding TEXT values in Table 4 
K-bit TEXT = 0 

Send K-bit TEXT, 19, KEYj, IVj, KEY 2 , IV 2 ,..., KEY;,, IVj, 

lUT; EOR i = 1 to 19 
{ 

IB, = IV, 

Perform DES algorithm in encrypt state, resulting in OBj 
K-bit RESULT,= LM'^(OB,) ® K-bit TEXT 
Send i, KEY,, IV,, K-bit TEXT, K-bit RESULT, 

KEY,^i = KEY,^i from MOVS 

IV= corresponding DATAj^., from MOVS 

} 

MOVS; Compare results from each loop with known answers 


Figure 5.29 The Substitution Table Known Answer Test - CFB Mode 


Figure 5.29 illustrates the Substitution Table Known Answer test for the CFB Mode. 

1. The MOVS shall: 

a. Initialize the KEY-DATA pairs with the 19 constant KEY-DATA values from 
Appendix B, Table 4. The DATA values shall then be assigned to the values of the 
initialization vectors IV. 

b. Initialize the K-bit TEXT to the value of 0, where K=1...64, i.e., 

TEXT,,=0,02...0k. 

c. Forward this information to the lUT using Input Type II. 

2. The lUT shall perform the following for i = 1 to 19: 

a. Assign the value of IV, to IB,, i.e., (IBIj, IB2,,..., IB64,) = (IVIj, IV2,,..., IV64,). 

b. Process IB; through the DES algorithm in the encrypt state, resulting in OB;. 
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c. Calculate the K-bit RESULT, by exclusive-ORing the leftmost K-bits of OBj, 
LM’^(OB,), with the K-bit TEXT, i.e.,(RESULT 1;, RESULT2,,..., RESULTK,) = 
(OB 1 jeTEXT 1, OB2ieTEXT2,... ,OBK,eTEXTK). 

d. Eorward the current value of the loop number i, KEY;, IV, the K-bit TEXT, and 
the K-bit RESULT,. 

e. Set KEYi ^.1 equal to the corresponding KEY in the input from the MOVS. 

f. Set IVi ^.1 equal to the corresponding DATA value in the input from the MOVS. 

NOTE: The above processing shall continue until all 19 KEY-DATA pairs, as specified in 
Input Type 11, are processed. The output from the lUT for this test shall consist of 19 
output strings. Each output string shall consist of information included in Output Type 2. 


The MOVS shall check the lUT's output for correctness by comparing the received results 
to known values found in Appendix B, Table 4. 



5.3.2 The Modes Tests - CFB Mode 


The Modes tests required to validate an lUT for the CFB mode of operation shall be determined 
by the process or processes allowed by an lUT. The K-bit CFB Modes test for the Encryption 
Process shall be successfully completed if an lUT supports the encryption process of the CFB 
mode of operation. The K-bit CFB Modes test for the Decryption Process shall be successfully 
completed if an lUT supports the decryption process. 


5.3.2.1 The K-hit CFB Modes Test for the Encryption Process - CFB Mode 


MO VS; Initialize KEYo, IV, K-bit PTo 

Send KEYo, IV, K-bit PTo 

lUT: FOR i = 0 TO 399 

{ 

If(i==0)IBo = IV 
Record i, KEYi, PTo 
FORj = OTO 9,999 
{ 

Perform algorithm in encrypt state, resulting in OBj. 

Select the leftmost K bits of the OBj, LM*^(OBj), 
discarding the rest. 

K-bit CTj = LM'^(OBj) ® K-bit PTj 
K-bit PTj^i = LM’^(IBj) 

IBj^i = RM<«^-'^>(IBj) II K-bit CT^ 

} 

Record K-bit CTj, IBo 

Send i, KEY,, IBo, K-bit PTo, K-bit CTj 

KEYi^., = KEY) ® last n bits of CT, where «=64 if DES, «=80 if Skipjack 
K-bit PTo = LMK(IB99„) 

IBo = RM<«^-K>(IB„„) II K-bit CT„„ 


MO VS; Check the lUT's output for correctness 


Figure 5.30 The Modes Test for the Encryption Process - K-bit CFB Mode 


As summarized in Figure 5.30, the K-bit CFB Modes test for the Encryption Process shall be 
performed as follows: 

1. The MOVS shall: 

a. Initialize KEY, the initialization vector IV and the plaintext PT variables. The IV 
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shall consist of 64 bits. The PT shall be represented as K-bits, where K=1...64. 
The KEY length shall be dependent on the algorithm implemented by the lUT. 

b. Forward these values to the lUT using Input Type 2. 


2. The lUT shall perform the following for i = 0 through 399: 

a. If i = 0 (if this is the first time through the loop), set the input block IBq equal to 
the value of the IV, i.e., (IBIq, IB2o,...,IB64o) = (IVI, IV2,...,IV64). 

b. Record the current value of the outer loop number i, KEY;, and the K-bit PTg. 

c. For j=0 through 9999, perform the following: 

i. Process IBj through the DES or Skipjack algorithm in the encrypt state, 
resulting in a 64-bit output block OBj. 

ii. Calculate the K-bit ciphertext CTj by exclusive-ORing the leftmost K-bits 
of OBj with the K-bit PT^, i.e., (CTl^, CT2j,..., CTKj) = (OBl^ePTlj, 
OB2jePT2j,... OBKjePTKj). 

in. Prepare for loop j+1 by doing the following: 

Assign the K-bit PTj+i with the value of the leftmost K-bits of the 
IBj, i.e., (PTlj,i, PT2j,i, ... PTKj,i) = (IBl^, ..., IBK^). 

Assign IBj^i with the value of the concatenation of the rightmost 
(64-K) bits of IBj with the K-bit CTj, i.e.,(IBIj^i, IB2j^i,...,IB64j^i) 

= (IB[K-tI]j, IB[K-t2]j,..., IB64j, CTI^, CT2^,...,CTK). 

d. Record the K-bit CT^ and IB; 

e. Output all recorded values for this loop, as specified in Output Type 2, to the 
MO VS. 

f. In preparation for the next output loop: 

i. Assign a new value to the KEY in preparation for the next outer loop. The 
new KEY shall be calculated by exclusive-ORing the current KEY of 
length n with n bits of CT. 

For lUTs of the DES algorithm, if the length of the CT is less than 64 (the 
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length of a DES key), the CT shall be expanded in length to 64 bits before 
forming the new KEY. This expansion shall be accomplished by 
concatenating x of the most current CTs together to obtain 64 bits of CT. 
Eor example, if the length of the CT is 14 (K=14), the expanded CT = 
(CTVgggj ... CTldgggj, CTlgggg ... CTldgggg, CTI 9997 ... CTldgggy, CTlgggg ... 
CTldgggg, CTI 9999 ... CT14gggg). TMs valuc shall then be exclusive-ORed 
with the current KEY to form the new KEY. Using the same example as 
above, (KEYl,^i, KEY2,^i,... KEY64,^i) = (KEYl.eCTT^gj, ... 

KEY8ieCT149995, KEY9,eCTl9996,... KEY22ieCT149996, KEY23ieCTl9997, 
... KEY36,eCT149997, KEY37,eCTl9998,... KEYSO^eCTldgggg, 
KEYSlieCTVgggg, ... KEYbd^eCT 1 dgggg,) . 

Eor lUTs of the Skipjack algorithm, CT shall be expanded in length to 80 
bits (the length of a Skipjack key) before the new KEY can be formed. 

This expansion shall be accomplished in the same manner described above 
for DES. The resulting value shall then be exclusive-ORed with the current 
KEY to form the new KEY. 

ii. Assign a new value to the K-bit PTq. The K-bit PTq shall be assigned the 
value of the leftmost K-bits of the current IB, i.e., (PTIq, PT2o, ... PTKq) = 
(IBlgggg, IB2gggg, ..., IBKgggg). 

hi. Assign a new value to IBq. IBq shall be assigned the value of the rightmost 
(64-K) bits of the current IB concatenated with the current K-bit CT, i.e., 
(IBIq, IB2q,...,IB64q) = (IB[K-i-I] 9999 , IB[K-i-2]9999,..., IB 649999 , CTI 9999 , 
CT 29999 ,..., CTK 9999 ). (Note that the new PT and IB shall be denoted as 
PTq and IBq because these values are used for the first pass through the 
inner loop when j= 0 .) 

NOTE: The output from the lUT for this test shall consist of 400 output strings. Each 
output string shall consist of information included in Output Type 2. 

3. The MO VS shall check the lUT's output for correctness by comparing the received results 
to known values. 
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5.3.2.2 The Modes Test for the Decryption Process - CFB Mode 


MO VS; Initialize KEYo, IV, K-bit CTo 

Send KEYo, IV, K-bit CXq 


lUT: FOR i = 0 TO 399 

{ 

if(i==0)IBo = IV 
Record i, KEY^, K-bit CTo 
FORj = OTO 9,999 
{ 

Perform algorithm in encrypt state, resulting in OBj. 

Select the leftmost K bits of the OBj, LM*^(OBj), 
discarding the rest. 

K-bit PTj = LMK(OBj) ® K-bit CT^ 

IBj^i = RM<«^-k)(IBj) II K-bit CTj 
K-bit CTj^i = LMK(OBj) 

} 

Record IBo, K-bit PTj 

Send i, KEY,, IBo, K-bit PT„ K-bit CT, 

KEYi^.; = KEY) ® last n bits of PT, where «=64 if DES, «=80 if Skipjack 
IBo = RM<«^-'^>(IB5,„) II K-bit CT„„ 

K-bit CTo = LMK(0B„„) 


MO VS; Check the lUT's output for correctness 


Figure 5.31 The Modes Test for the Decryption Process - CFB Mode 


Figure 5.31 illustrates the Modes test for the CFB Decryption Process. 

1. The MOVS shall: 

a. Initialize KEY, the initialization vector IV, and the ciphertext CT variables. The 
IV shall consist of 64 bits, and the CT shall be represented as K bits, where 
K=1 ...64. The KEY length shall be dependent on the algorithm implemented. 


b. 


Eorward these values to the lUT using Input Type 2. 



2. 


The lUT shall perform the following for i = 0 through 399: 


a. If i = 0 (if this is the first time through the loop), set the input block IBq equal to 
the value of IV, i.e., (IBIq, IB2o,...,IB64o) = (IVI, IV2,...,IV64). 

b. Record the current value of the outer loop number i, KEY;, and the K-bit CT^. 

c. For j=0 through 9999, perform the following: 

i. Process IBj through the DES or Skipjack algorithm in the encrypt state, 
resulting in a 64-bit output block OBj. 

ii. Calculate the K-bit PT by exclusive-ORing the leftmost K-bits of OBj with 
the K-bit CTj, i.e., (PTlj, PT2j,..., PTKj) = (OBljeCTlj, OB2jeCT2j,... 
OBKjeCTKj). 

hi. Prepare for loop j+1 by doing the following: 

- Assign IBj^i with the value of the concatenation of the rightmost (64-K) 
bits of the IBj with the K-bit CTj, i.e.,(IBlj^j, IB2j^i,...,IB64j^i) = 

(IB[K-tl]j, IB[K-t2]j,..., IB64j, CTl^, CT2j,...,CTKj). 

- Assign the K-bit CTj^j with the value of the leftmost K-bits of OBj, i.e., 
(CTlj,„ CT2j,„ ... CTKj,,) = (OBlj, OB2^, ..., OBK^). 

d. Record IBj and PTj. 

e. Output all recorded values for this loop, as specified in Output Type 2. 

f. In preparation for the next outer loop: 

i. Assign a new value to the KEY in preparation for the next outer loop. The 
new KEY shall be calculated by exclusive-ORing the current KEY of 
length n with n bits of PT. 

For lUTs of the DES algorithm, if the length of the PT is less than 64 (the 
length of a DES key), the PT shall be expanded in length to 64 bits before 
forming the new KEY. This expansion shall be accomplished by 
concatenating x of the most current PTs together to obtain 64 bits of PT. 
For example, if the length of the PT is 14 (K=14), the expanded PT = 
(PTTgggj ... PTldgggj, PTlgggg ... PTldgggg, PT 1 gggy ... PTldgggy, PT 1 gggg ... 
PTldgggg, PT 1 9999 ... PTI 49999 ). TMs valuc shall then be exclusive-ORed 
with the current KEY to form the new KEY. Using the same example as 
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above, (KEYl,^i, KEY2,^i,... KEY64,^i) = (KEYliePTT^gj, ... 

KEY8iePT149995, KEY9iePTl9996,... KEY 22 iePTl 49996 , KEY23iePTl9997, 
... KEY36,ePT149997, KEY37,ePTl9998,... KEY50iePT149998, 
KEY51iePT79999,... KEY64iePT149999,). 

Eor lUTs of the Skipjack algorithm, the PT shall be expanded in length to 
80 bits (the length of a Skipjack key) before the new KEY can be formed. 
This expansion shall be accomplished in the same manner described above 
for DES. The resulting value shall then be exclusive-ORed with the current 
KEY to form the new KEY. 

ii. Assign a new value to IBq. IBq shall be assigned the value of the rightmost 
(64-K) bits of the current IB concatenated with the current K-bit CT, i.e., 
(IBIq, IB2q,...,IB64q) = (IB[K+1]9999, IB[K+2]9999,..., IB 649999 , CTI 9999 , 

CT29999,..., CTK9999). 

hi. Assign a new value to CT^. CT^ shall be assigned the value of the leftmost 
K-bits of the current OB, EM^(OB 9999 ), i.e., (CTIq, CT2o, ... CTK,,) = 
(OBI 9999 , OB 29999 ,..., OBK 9999 ). (Note that the new CT and IB shall be 
denoted as CTq and IBq because these values are used for the first pass 
through the inner loop when j= 0 .) 

NOTE: The output from the lUT for this test shall consist of 400 output strings. Each 
output string shall consist of information included in Output Type 2. 

3. The MO VS shall check the lUT's output for correctness by comparing the received results 
to known values. 
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5.4 The Output Feedback Mode - OFB Mode 


The lUTs of the DBS and Skipjack algorithm in the Output Feedback (OFB) mode shall be 
validated by successfully completing a set of Known Answer tests and a Modes test applicable to 
both lUTs supporting the encryption and/or the decryption processes. Encryption and decryption 
using the OFB mode of operation involve processing an input block through the encrypt state of 
the specified algorithm. Therefore, the same set of Known Answer tests and Modes test can be 
applied to lUTs supporting both encryption and decryption. 

The process of validating an lUT of the OFB mode of the DES algorithm which implements the 
encryption and/or decryption processes shall involve the successful completion of the following 
six tests: 

1. The Variable Text Known Answer Test - OFB mode 

2. The Inverse Permutation Known Answer Test - OFB mode 

3. The Variable Key Known Answer Test - OFB mode 

4. The Permutation Operation Known Answer Test - OFB mode 

5. The Substitution Table Known Answer Test - OFB mode 

6 . The Modes Test - OFB mode 

The lUTs of the Skipjack algorithm shall successfully complete tests 1, 2, 3, and 6 only. 

An explanation of the tests for the OFB mode follows. 


5.4.1 The Known Answer Tests - OFB Mode 

In the following description of the Known Answer tests, TEXT refers to plaintext, and RESUFT 
refers to ciphertext if the lUT implements the encryption process of the OFB mode of operation. 
If the lUT supports the decryption process of the OFB mode of operation, TEXT refers to 
ciphertext, and RESUFT refers to plaintext. 
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5.4.1.1 The Variable Text Known Answer Test - OFB Mode 


MOVS;Initialize KEY; If DES, KEY = 0101010101010101 (odd parity set) 
If Skipjack, KEY = 00000000000000000000 
IV,= 8000000000000000 
TEXT = 0000000000000000 
Send KEY, IV,, TEXT 

lUT: FOR i = 1 to 64 

{ 

IB, = IV, 

Perform algorithm in encrypt state resulting in OB, 

RESULT,= OB,® TEXT 

Send i, KEY, IVi,TEXT, RESULT, 

IV,,., = basis vector where single "1" bit is in position i+1 


MO VS; Compare results from each loop with known answers 

If DES, use Appendix B, Table 1. If Skipjack, use Appendix B, Table 5. 


Figure 5.32 The Variable Text Known Answer Test - OFB Mode 


Figure 5.32 illustrates the Variable Text Known Answer test for the OFB Mode. 

1. The MOVS shall: 

a. Initialize the KEY parameter to the constant hexadecimal value 0. For lUTs of the 
DES algorithm, the KEY,,^,; = 01 01 01 01 01 01 01 01. Note that the significant 
bits are set to "0" and the parity bits are set to "1" to make odd parity. Eor lUTs 
of the Skipjack algorithm, the KEY,,^,; = 00 00 00 00 00 00 00 00 00 00. 

b. Initialize the 64 bit initialization vector IV, to the basis vector containing a "I" in 
the first bit position and "0" in the following 63 positions, i.e., IV, ^in = 10000000 
00000000 00000000 00000000 00000000 00000000 00000000 00000000. The 
equivalent of this value in hexadecimal notation is 80 00 00 00 00 00 00 00. 

c. Initialize the TEXT parameter to the constant hexadecimal value 0, i.e., TEXT,,^,^ = 

00 00 00 00 00 00 00 00 . 


no 





d. Forward this information to the lUT using Input Type 2. 


2 The lUT shall perform the following for i = 1 through 64: 

a. Assign the value of IV; to the input block IB, i.e., (IB Ij, IB2i,..., IB64,) = (IVlj, 
IV2,,..., IV64,). 

b. Process IB; through the DBS or Skipjack algorithm in the encrypt state, resulting 
in output block OB,. 

c. Calculate RESULT, by exclusive-ORing OB; with TEXT, i.e., (RESULTlj, 
RESULT2,,..., RESULT64,) = (OBljeTEXTl, OB2,eTEXT2, ..., 
OB64ieTEXT64). 

d. Eorward the current value of the loop number i, KEY, IVj, TEXT, and RESULT; 
to the MOVS, as specified by Output Type 2. 

e. Assign a new value to IVi^.; by setting it equal to the value of a basis vector with a 
"1" bit in position i+1, where i=1...64. 

NOTE: This processing shall continue until every possible basis vector has been 

represented by the IV, i.e., 64 times. The output from the lUT for this test shall consist of 

64 output strings. Each output string shall consist of information included in Output Type 

2 . 


3. The MOVS shall check the lUT's output for correctness by comparing the received results 
to known values found in Appendix B, Table 1 for DBS and Table 5 for Skipjack . 
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5.4.1.2 The Inverse Permutation Known Answer Test - OFB Mode 


MOVS;Initialize KEY; If DES, KEY = 0101010101010101 (odd parity set) 

If Skipjack, KEY = 00000000000000000000 
IV,= 8000000000000000 

TEXT, (where i=l-64) = 64 RESULT values from the Variable Text Known Answer test 
Send KEY, IV„ 64, TEXT, ... TEXT 64 

lUT: FOR i = 1 to 64 

{ 

IB, = IV, 

Perform algorithm in encrypt state resulting in OB, 

RESULTp OB,® TEXT 

Send i, KEY, IV„TEXT, RESULT, 

IV,,., = basis vector where single " 1 " bit is in position i +1 

TEXT;,., = corresponding RESULT value from the Variable Text Known Answer test 

} 

MOVS: Compare RESULT from each loop with known answers. 

The TEXT should be all zeros. 


Figure 5.33 The Inverse Permutation Known Answer Test - OFB Mode 


Figure 5.33 illustrates the Inverse Permutation Known Answer test for the OFB Mode. 

1. The MOVS shall: 

a. Initialize KEY parameter to the constant hexadecimal value 0. For lUTs of the 
DES algorithm, the KEY,,^,; = 01 01 01 01 01 01 01 01. Note that the significant 
bits are set to "0" and the parity bits are set to "1" to make odd parity. 

Eor lUTs of the Skipjack algorithm, the KEY,,^,; = 00 00 00 00 00 00 00 00 00 00. 

b. Initialize the 64 bit initialization vector IV, to the basis vector containing a "I" in 
the first bit position and "0" in the following 63 positions, i.e., IV, ^in = 10000000 
00000000 00000000 00000000 00000000 00000000 00000000 00000000. The 
equivalent of this value in hexadecimal notation is 80 00 00 00 00 00 00 00. 

c. Initialize the TEXT, parameter (where i=l-64) to the RESUET, obtained from the 
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Variable Plaintext Known Answer test. 


d. Forward this information to the lUT using Input Type 5. 


2 The lUT shall perform the following for i = 1 through 64: 

a. Assign the value of IV; to the input block IB, i.e., (IB Ij, IB2i,..., IBbdj) = (IVIj, 
IV2,,..., IV64,). 

b. Process IB; through the DBS or Skipjack algorithm in the encrypt state, resulting 
in output block OB,. 

c. Calculate RESULT, by exclusive-ORing OB; with TEXT, i.e., (RESULTlj, 
RESULT2,,..., RESULT64,) = (OBljeTEXTl, OB2,eTEXT2, ..., 
OB64ieTEXT64). 

d. Eorward the current value of the loop number i, KEY, IVj, TEXT, and RESULT, 
to the MOVS, as specified by Output Type 2. 

e. Assign a new value to IVj+i by setting it equal to the value of a basis vector with a 
"1" bit in position i+1, where i=1...64. 

f. Assign a new value to the TEXT^^.^ by setting it equal to the corresponding 
RESULT value from the Variable Text Known Answer test for the OEB mode. 

NOTE: This processing shall continue until all ciphertext values from the Variable Text 

Known Answer Text have been used as input. The output from the lUT for this test shall 

consist of 64 output strings. Each output string shall consist of information included in 

Output Type 2. 


3. 


The MOVS shall check the lUT's output for correctness by comparing the received results 
to known values. The RESULT values should be all zeros. 
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5.4.1.3 The Variable Key Known Answer Test - OFB Mode 


MOVS; Initialize KEYi! If DES, KEYi=8001010101010101 (odd parity set) 

If Skipjack, KEYi=80000000000000000000 
IV = 0000000000000000 
TEXT = 0000000000000000 
Send KEYi, IV, TEXT 

lUT; FOR i = I to «, where « = 64 if DES, 80 if Skipjack 
{ 

IF (Skipjack) {process all bits} 
or 

(DES AND i %8 != 0) 

(process all bits except parity bits} 

{ 

IBi = IV 

Perform algorithm in encrypt state, resulting in OBj 

RESULT,= OB, ® TEXT 

Send i, KEY^, IV, TEXT, RESULT, 

KEYj^., = vector consisting of "0" in every significant bit position except for a 
single "1" bit in position i+1. Each parity bit may have the value "1" or "0" to make 
the KEY odd parity. 

} 


MOVS; Compare results of the n encryptions with known answers 

If DES, use Appendix B, Table 2. If Skipjack, use Appendix B, Table 6. 

Figure 5.34 The Variable Key Known Answer Test - OFB Mode 


As summarized in Figure 5.34, the Variable Key Known Answer test for the OFB mode shall be 
performed as follows: 

1. The MOVS shall: 

a. Initialize KEY) to contain a "0" in every significant bit except for a "1" in the first 
position. For an lUT of the DES algorithm, the 64 bit KEYj bin= 10000000 
00000001 00000001 00000001 00000001 00000001 00000001 00000001. The 
equivalent of this value in hexadecimal notation is 80 01 01 01 01 01 01 01. Note 
that the parity bits are set to "0" or "1" to get odd parity. 

For an lUT of the Skipjack algorithm, the 80 bit KEY; = 10000000 00000000 
00000000 00000000 00000000 00000000 00000000 00000000 00000000 
00000000. The equivalent of this value in hexadecimal notation is 80 00 00 00 00 
00 00 00 00 00 . 
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b. Initialize the 64 bit initialization vector IV to the value of 0, i.e., IV,,g^=00 00 00 00 
00 00 00 00 . 

c. Initialize TEXT to the value of 0, i.e., TEXT,,g,;=00 00 00 00 00 00 00 00. 

d. Eorward this information to the lUT using Input Type 2. 

2. The lUT shall perform the following for i = 1 to n: (NOTE: n equals the number of 
significant bits in a DES or Skipjack key.) 

a. Assign the value of IV to IB,, i.e., (IBl,, IB2,,..., IB64,) = (IVl, IV2,..., IV64). 

b. Process IB; through the DES or Skipjack algorithm in the encrypt state, resulting 
in output block OB,. 

c. Calculate RESUET, by exclusive-ORing OB; with TEXT, i.e.,(RESUETli, 
RESUET2,,..., RESUET64,) = (OBljeTEXTl, 

OB2ieTEXT2,...,OB64ieTEXT64). 

d. Eorward the current value of the loop number i, KEY;, IV, TEXT and RESUET; to 
the MOVS, as specified in Output Type 2. 

e. Set KEY,+i equal to the vector consisting of "0" in every significant bit position 
except for a single "1" bit in position i+1. 

NOTE: The above processing shall continue until every significant basis vector has been 
represented by the KEY parameter. The output from the lUT for this test shall consist of 
56 output strings if the lUT implements the DES algorithm and 80 output strings if the 
lUT implements the Skipjack algorithm. Each output string shall consist of information 
included in Output Type 2. 


3. The MOVS shall check the lUT's output for correctness by comparing the received results 
to known values found in Appendix B, Table 2 for DES and Table 6 for Skipjack. 
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5.4.1.4 The Permutation Operation Known Answer Test - OFB Mode 

NOTE: This test shall only be performed for the DES algorithm. 


MOVS; Initialize KEY; (where i=l-32) = 32 KEY values in Appendix B, Table 3 

IV = 0000000000000000 
TEXT = 0000000000000000 
Send TEXT, IV, KEYj, KEYj,..., KEY 32 

lUT; FOR i = 1 to 32 
{ 

IBi = IV 

Perform DES algorithm in encrypt state, resulting in OBj 

RESULT,= OB, ® TEXT 

Send i, KEY,, IV, TEXT, RESULT, 

KEYi^., = Corresponding KEYi^.! from MOVS 


MOVS; Compare results with known answers 


Figure 5.35 The Permutation Operation Known Answer Test - OFB Mode 


Figure 5.35 illustrates the Permutation Operation Known Answer test for the OFB mode. 

1. The MOVS shall: 

a. Initialize the KEY parameter with the 32 constant KEY values from Appendix B, 
Table 3. 

b. Initialize IV to the value of 0, i.e., IV^g,;=00 00 00 00 00 00 00 00. 

c. Initialize TEXT to the value of 0, i.e., TEXT^g,;=00 00 00 00 00 00 00 00. 

d. Eorward this information to the lUT using Input Type 8. 

2. The lUT shall perform the following for i = 1 to 32: 

a. Assign the value of IV to the input block IBj, i.e., (IBlj, IB2i,..., IBbd;) = (IVl, 
IV2,..., IV64). 

b. Process IB; through the DES algorithm in the encrypt state, resulting in the output 
block OB,. 
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c. Calculate RESULT, by exclusive-ORing OB; with TEXT, i.e.,(RESULTli, 
RESULT2,,..., RESULT64i) = (OBljeTEXTl, OB2ieTEXT2, 

OB64ieTEXT64). 

d. Eorward the current values of the loop number i, KEYj, IV, TEXT and RESULT;. 

e. Set KEYi ^.1 equal to the corresponding KEY supplied from the MOVS. 

NOTE: The above processing shall continue until all 32 KEY values, as specified in Input 
Type 8, are processed. The output from the lUT for this test shall consist of 32 output 
strings. Each output string shall consist of information included in Output Type 2. 


The MOVS shall check the lUT's output for correctness by comparing the received results 
to known values found in Appendix B, Table 3. 



5.4.1.5 The Substitution Table Known Answer Test - OFB Mode 


NOTE: This test shall only be performed for the DES algorithm. 


MOVS; Initialize KEY; (where i=l-19) = 19 KEY values in Appendix B, Table 4 

IVj (where i=l-19) = 19 corresponding PT values in Appendix B, Table 4 
TEXT = 0000000000000000 

Send TEXT, 19, KEY,, IV„ KEY^, IV 2 ,...,KEYi 5 , IV,, 

lUT; FOR i = 1 to 19 
{ 

IB, = IV, 

Perform DES algorithm in encrypt state, resulting in OB, 

RESULT,= OB, ® TEXT 

Send i, KEY,, IV,, TEXT, RESULT, 

KEY,,., = KEY,,., from MOVS 

IVj.,., = corresponding DATA,.,., from MOVS 


MOVS; Compare results from each loop with known answers 


Figure 5.36 The Substitution Table Known Answer Test - OFB Mode 


As summarized in Figure 5.36, the Substitution Table Known Answer test for the OFB mode shall 
be performed as follows: 

1. The MOVS shall: 

a. Initialize the KEY-INPUT pairs with the 19 constant KEY-IV values from 
Appendix B, Table 4. The PT/TEXT/IV values from the table shall then be 
assigned to the values of the initialization vector IVs. 

b. Initialize TEXT to the value of 0, i.e., TEXT,,g,,=00 00 00 00 00 00 00 00. 

c. Forward this information to the lUT using Input Type II. 


2. The lUT shall perform the following for i = 1 to 19: 

a.. Assign the value of IV, to the input block IB,, i.e., (IBl,, IB2i,..., IB64,) = (IVl,, 
IV2„..., IV64,). 
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b. Process IB; through the DBS algorithm in the encrypt state, resulting in the output 
block OBj. 

c. Calculate RESULTj by exclusive-ORing OBj, with TEXT, i.e.,(RESUETli, 
RESUET2,,..., RESUET64,) = (OBljeTEXTl, OB2,eTEXT2, ..., 
OB64ieTEXT64). 

d. Eorward the current value of the loop number i, KEY;, IVj, TEXT and RESUETj. 

e. Set KEYi ^.1 equal to the corresponding KEY value supplied by the MOVS. 

f. Set IVi ^.1 equal to the corresponding PT/TEXT/IV value supplied by the MOVS. 

NOTE: The above processing shall continue until all 19 KEY/INPUT pairs, as specified 
in Input Type 11, are processed. The output from the lUT for this test shall consist of 19 
output strings. Each output string shall consist of information included in Output Type 2. 


The MOVS shall check the lUT's output for correctness by comparing the received results 
to known values found in Appendix B, Table 4. 



5.4.1.6 The Modes Test - OFB Mode 


MO VS: Initialize KEYo, IV, TEXTo 

Send KEYo, IV, TEXTo 

lUT: FOR i = 0 TO 399 

{ 

If(i==0)IBo = IV 
Record i, KEY,, TEXTo 
FORj = OTO 9,999 
{ 

Perform algorithm in encrypt state, resulting in OBj 
RESULTj = OBj ® TEXTj 

TEXTj^i = IBj 
IBj,, = OBj 

} 

Record IBo, RESULT, 

Send i, KEY,, IBo, TEXTo, RESULTj 

KEYjj., = KEY)® last n bits of RESULT, where «=64 if DES, «=80 if Skipjack 
TEXTo = TEXTo ® IB9999 

IBo = OB 9999 


MO VS: Check lUT's output for correctness 


Figure 5.37 The Modes Test - OFB Mode 


As summarized in Figure 5.37, the Modes test for the OFB mode shall be performed as follows: 

1. The MOVS shall: 

a. Initialize KEY, IV and TEXT. The TEXT and IV shall consist of 64 bits, while 
the KEY length is dependent on the algorithm implemented. 

b. Forward these values to the lUT using Input Type 2. 

2. The lUT shall perform the following, for i=0 through 399: 

a. If i=0 (if this is the first time through the loop), set the input block IBq equal to the 
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value of IV, i.e., (IBIq, IB2o,...,IB64o) = (IVl, IV2,...,IV64). 


b. Record the current value of the outer loop number i, KEY;, and TEXTq. 

c. Eor j=0 through 9999, perform the following: 

i. Process IBj through the DES or Skipjack algorithm in the encrypt state, 
resulting in the output block OBj. 

ii. Calculate RESUETj by exclusive-ORing OBj with the value of TEXTj, i.e., 
(RESUETlj, RESUET2j,..., RESUET64j) = (OBljeTEXTlj, 
OB2jeTEXT2j,... OB64jeTEXT64j). 

iii. Prepare for loop j+1 by doing the following: 

- Assign the current value of IBj to TEXT^^i, i.e., (TEXTlj^i, TEXT2j^j, ... 
TEXT64j,,) = (IBlj, IB2j, ..., IB64j). 

- Assign the value of the current OBj to IBj+i, i.e.,(IBlj^i, IB2j^i,...,IB64j+i) 
= (OBlj, OB2j,...,OB64j). 


d. Record the IBq and RESUETj. 

e. Output all recorded values for this loop using Output Type 2. 

f. In preparation of the next outer loop: 

i. Assign a new value to KEY in preparation for the next outer loop. The 
new KEY shall be calculated by exclusive-ORing the current KEY with the 
current RESUET. Eor lUTs of the DES algorithm, this shall equate to 
(KEYli.i, KEY2i,i, ... KEY64.,i) = (KEYl^eRESUETl^^g, 
KEY 2 ieRESUET 25999 ,... KEYbdieRESUETbdgggg). Eor lUTs of the 
Skipjack algorithm, the RESUET shall be expanded in length to 80 bits 
(the length of a Skipjack key) before the new KEY can be formed. This 
expansion shall be accomplished by concatenating the 16 rightmost bits of 
the previous RESUET (RESUETgggg) with the 64 bits of the current 
RESUET (RESUET 9999 ). This value shall then be exclusive-ORed with the 
current KEY to form the new KEY, i.e., (KEYlj^i, KEY2i^i,... KEY80,^i) 
= (KEYlieRESUET499998, KEY2ieRESUET509998,... 
KEY16ieRESUET645553, KEYlVieRESUETl,,,,, KEY18ieRESUET25„9, 
... KEY80ieRESUET645559). 

ii. Assign a new value to TEXT,,. The TEXTg shall be assigned the value of 
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the old TEXTq, exclusive-ORed with IB 9999 , i.e., (TEXTIq, TEXT2o, ... 
TEXT64o) = (TEXTloeIBl 9999 , TEXT2oeIB29999,..., TEXTddoelBdVg). 
(Note that the new TEXT shall be denoted as TEXTq because this value is 
used for the first pass through the inner loop when j= 0 .) 

in. Assign a new value to IBg. The IBg shall be assigned the current value of 
OB 9999 , i.e., (IBIq, IB2o,...,IB64o) = (OBI 9999 , OB 29999 ,...,OB 649999 ). (Note 
that the new IB shall be denoted as IBg because this value is used for the 
first pass through the inner loop when j= 0 .) 

NOTE: The output from the lUT for this test shall consist of 400 output strings. Each 
output string shall consist of information included in Output Type 2. 

3. The MO VS shall check the lUT's output for correctness by comparing the received results 

to known values. 
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6. DESIGN OF THE MODES OF OPERATION VALIDATION SYSTEM (MOVS) FOR 

DES AND SKIPJACK 


6.1 Design Philosophy 

NIST validation programs are conformance tests rather than measures of product security. NIST 
validation tests are designed to assist in the detection of accidental implementation errors, and are 
not designed to detect intentional attempts to misrepresent conformance. Thus, validation by 
NIST should not be interpreted as an evaluation or endorsement of overall product security. 

An lUT is considered validated for a test option when it passes the appropriate set of MO VS 
tests. MO VS testing is via statistical sampling, so validation of an option does not guarantee 
100 % conformance with the option in the standards. 

The intent of the validation process is to provide a rigorous conformance process that can be 
performed at modest cost. NIST does not try to prevent a dishonest vendor from purchasing a 
validated implementation and using this implementation as the vendor's lUT. Customers who 
wish to protect themselves against a dishonest vendor could require that the vendor revalidate the 
lUT in the customer's presence. 

6.2 Operation of the MO VS 

MO VS testing is done through the NIST Cryptographic Module Validation (CMV) Program. 

The CMV Program uses laboratories accredited by the NIST National Voluntary Laboratory 
Accreditation Program (NVLAP) to perform conformance tests to cryptographic-related FIPS. A 
vendor contracts with a Cryptographic Module Testing (CMT) Laboratory accredited by 
NVLAP. The CMT laboratory conducts the MO VS tests on the lUT. The CMT laboratory 
submits the results to NIST for validation. If the lUT has successfully completed the tests, NIST 
issues a validation certificate for the lUT to the vendor. A list of CMT laboratories is available at 
http://csrc.nist.gov/cryptval. 
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Appendix A Sample Round Outputs for the DES 


INPUT 

KEY = 10316E028C8F3B4A 

PLAINTEXT = 0000000000000000 

L 

R 

00000000 

47092B5B 

47092B5B 

53E372AE 

53F372AF 

9E1D158B 

9F1D158B 

8109CBEE 

8109CBEE 

60448698 

60448698 

29EBB1A4 

29EBB1A4 

620CC3A3 

620CC3A3 

DEEB3D8A 

DEEB3D8A 

A1A0354D 

A1A0354D 

9E0303DC 

9E0303DC 

ED898EE8 

ED898EE8 

2D1AE1DD 

2D1AE1DD 

CBC829EA 

CBC829EA 

B367DEC9 

B367DEC9 

3E6C3EED 

3E6C3EED 

5A1E5228 


OUTPUT 

82DCBAEBDEAB6602 
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Appendix B Tables of Values for the Known Answer Tests 


Table 1 

Resulting Ciphertext from the Variable Plaintext Known Answer Test for DES 

(NOTE: KEY =01 01 01 01 01 01 01 01 (oddparity set)) 


ROUND 

PLAINTEXT or IV 
(depending on mode) 

CIPHERTEXT 

0 

80 00 00 00 00 00 00 00 

95 F8 A5 E5 DD 31 D9 00 

1 

40 00 00 00 00 00 00 00 

DD 7F 12 1C A5 01 56 19 

2 

20 00 00 00 00 00 00 00 

2E 86 53 10 4E 38 34 EA 

3 

10 00 00 00 00 00 00 00 

4B D3 88 EE 6C D8 ID 4E 

4 

08 00 00 00 00 00 00 00 

20 B9 E7 67 B2 EB 14 56 

5 

04 00 00 00 00 00 00 00 

55 57 93 80 D7 71 38 EE 

6 

02 00 00 00 00 00 00 00 

6 C C5 DE EA AE 04 51 2E 

7 

01 00 00 00 00 00 00 00 

OD 9E 27 9B A5 D8 72 60 

8 

00 80 00 00 00 00 00 00 

D9 03 IB 02 71 BD 5A OA 

9 

00 40 00 00 00 00 00 00 

42 42 50 B3 7C 3D D9 51 

10 

00 20 00 00 00 00 00 00 

B8 06 IB 7E CD 9A 21 E5 

11 

00 10 00 00 00 00 00 00 

El 5D OE 28 6B 65 BD 28 

12 

00 08 00 00 00 00 00 00 

AD DO CC 8D 6E 5D EB A1 

13 

00 04 00 00 00 00 00 00 

E6 D5 E8 27 52 AD 63 D1 
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ROUND 

PLAINTEXT or IV 
(depending on mode) 

CIPHERTEXT 

14 

00 02 00 00 00 00 00 00 

EC BE E3 BD 3E 59 lA 5E 

15 

00 01 00 00 00 00 00 00 

E3 56 83 43 79 D1 65 CD 

16 

00 00 80 00 00 00 00 00 

2B 9E 98 2E 20 03 7E A9 

17 

00 00 40 00 00 00 00 00 

88 9D EO 68 A1 6E OB E6 

18 

00 00 20 00 00 00 00 00 

El 9E 27 5D 84 6A 12 98 

19 

00 00 10 00 00 00 00 00 

32 9A 8ED5 23 D7 lAEC 

20 

00 00 08 00 00 00 00 00 

E7 EC E2 25 57 D2 3C 97 

21 

00 00 04 00 00 00 00 00 

12A9E5 81 7EE2D6 5D 

22 

00 00 02 00 00 00 00 00 

A4 84 C3 AD 38 DC 9C 19 

23 

00 00 01 00 00 00 00 00 

EB EO OA 8A IE E8 AD 72 

24 

00 00 00 80 00 00 00 00 

75 OD 07 94 07 52 13 63 

25 

00 00 00 40 00 00 00 00 

64 EE ED 9C 72 4C 2E AE 

26 

00 00 00 20 00 00 00 00 

EO 2B 26 3B 32 8E 2B 60 

27 

00 00 00 10 00 00 00 00 

9D 64 55 5A 9A 10 B8 52 

28 

00 00 00 08 00 00 00 00 

D1 06 EE OB ED 52 55 D7 

29 

00 00 00 04 00 00 00 00 

El 65 2C 6B 13 8C 64 A5 

30 

00 00 00 02 00 00 00 00 

E4 28 58 11 86 EC 8E 46 

31 

00 00 00 01 00 00 00 00 

AE B5 E5 ED E2 2D lA 36 
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ROUND 

PLAINTEXT or IV 
(depending on mode) 

CIPHERTEXT 

32 

00 00 00 00 80 00 00 00 

E9 43 D7 56 8A EC OC 5C 

33 

00 00 00 00 40 00 00 00 

DE 98 C8 27 6E 54 BO 4B 

34 

00 00 00 00 20 00 00 00 

B1 60 E4 68 OE 6C 69 6E 

35 

00 00 00 00 10 00 00 00 

EA 07 52 BO 7D 9C 4A B8 

36 

00 00 00 00 08 00 00 00 

CA 3A 2B 03 6D BC 85 02 

37 

00 00 00 00 04 00 00 00 

5E 09 05 51 7B B5 9B CE 

38 

00 00 00 00 02 00 00 00 

814EEB3B91D9 07 26 

39 

00 00 00 00 01 00 00 00 

4D49DB 15 32 91 9C 9E 

40 

00 00 00 00 00 80 00 00 

25 EB 5E C3 E8 CE 06 21 

41 

00 00 00 00 00 40 00 00 

AB 6A 20 CO 62 OD 1C 6E 

42 

00 00 00 00 00 20 00 00 

79 E9 OD BC 98 E9 2C CA 

43 

00 00 00 00 00 10 00 00 

86 6E CE DD 80 72 BB OE 

44 

00 00 00 00 00 08 00 00 

8 B 54 53 6E 2E 3E 64 A8 

45 

00 00 00 00 00 04 00 00 

EA51 D3 97 55 95 B8 6B 

46 

00 00 00 00 00 02 00 00 

CA EE C6 AC 45 42 DE 31 

47 

00 00 00 00 00 01 00 00 

8 D D4 5A 2D DE 90 79 6C 

48 

00 00 00 00 00 00 80 00 

10 29 D5 5E 88 OE C2 DO 

49 

00 00 00 00 00 00 40 00 

5D 86 CB 23 63 9D BE A9 
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ROUND 

PLAINTEXT or IV 
(depending on mode) 

CIPHERTEXT 

50 

00 00 00 00 00 00 20 00 

ID 1C A8 53 AE 7C OC 5F 

51 

00 00 00 00 00 00 10 00 

CE 33 23 29 24 8F 32 28 

52 

00 00 00 00 00 00 08 00 

84 05 D1 AB E2 4F B9 42 

53 

00 00 00 00 00 00 04 00 

E6 43 D7 80 90 CA 42 07 

54 

00 00 00 00 00 00 02 00 

48 22 IB 99 37 74 8A 23 

55 

00 00 00 00 00 00 01 00 

DD 7C OB BD 61 FA FD 54 

56 

00 00 00 00 00 00 00 80 

2F BC 29 lA 57 OD B5 C4 

57 

00 00 00 00 00 00 00 40 

EO 7C 30 D7 E4 E2 6E 12 

58 

00 00 00 00 00 00 00 20 

09 53 E2 25 8E 8E 90 A1 

59 

00 00 00 00 00 00 00 10 

5B71 1BC4CEEBF2EE 

60 

00 00 00 00 00 00 00 08 

CC 08 3F IE 6D 9E 85 F6 

61 

00 00 00 00 00 00 00 04 

D2 FD 88 67 D5 OD 2D FE 

62 

00 00 00 00 00 00 00 02 

06 E7 FA 22 CE 92 70 8F 

63 

00 00 00 00 00 00 00 01 

16 6B 40 B4 4A BA 4B D6 
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Table 2 


Resulting Ciphertext from the Variable Key Known Answer Test for DES 

(NOTE: Plaintext/text = 00 00 00 00 00 00 00 00 and, where applicable, IV = 00 00 00 00 00 00 00 00) 


ROUND 

KEY 

CIPHERTEXT 

0 

80 01 01 01 01 01 01 01 

95 A8 D7 28 13 DA A9 4D 

1 

40 01 01 01 01 01 01 01 

OE EC 14 87 DD 8C 26 D5 

2 

20 01 01 01 01 01 01 01 

7A D1 6E EB 79 C4 59 26 

3 

10 01 01 01 01 01 01 01 

D3 74 62 94 CA 6A 6C E3 

4 

08 01 01 01 01 01 01 01 

80 9E 5E 87 3C IE D7 61 

5 

04 01 01 01 01 01 01 01 

CO 2E AE EE C9 89 D1 EC 

6 

02 01 01 01 01 01 01 01 

46 15 AA ID 33 E7 2E 10 

7 

01 80 01 01 01 01 01 01 

20 55 12 33 50 CO 08 58 

8 

01 40 01 01 01 01 01 01 

DE 3B 99 D6 57 73 97 C8 

9 

01 20 01 01 01 01 01 01 

31 EE 17 36 9B 52 88 C9 

10 

01 10 01 01 01 01 01 01 

DE DD 3C C6 4D AE 16 42 

11 

01 08 01 01 01 01 01 01 

17 8C 83 CE 2B 39 9D 94 

12 

01 04 01 01 01 01 01 01 

50 E6 36 32 4A 9B 7E 80 

13 

01 02 01 01 01 01 01 01 

A8 46 8E E3 BC 18 EO 6D 

14 

01 01 80 01 01 01 01 01 

A2 DC 9E 92 ED 3C DE 92 
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ROUND 

KEY 

CIPHERTEXT 

15 

01 01 40 01 01 01 01 01 

CA CO 9F 79 7D 03 12 87 

16 

01 01 20 01 01 01 01 01 

90 BA 68 OB 22 AE B5 25 

17 

01 01 10 01 01 01 01 01 

CE 7A 24 E3 50 E2 80 B6 

18 

01 01 08 01 01 01 01 01 

88 2B EE OA AO lA OB 87 

19 

01 01 04 01 01 01 01 01 

25 61 02 88 92 45 11 C2 

20 

01 01 02 01 01 01 01 01 

C7 15 16 C2 9C 75 D1 70 

21 

01 01 01 80 01 01 01 01 

51 99 C2 9A 52 C9 EO 59 

22 

01 01 01 40 01 01 01 01 

C2 2E OA 29 4A 71 E2 9E 

23 

01 01 01 20 01 01 01 01 

EE 37 14 83 71 4C 02 EA 

24 

01 01 01 10 01 01 01 01 

A8 IE BD 44 8E 9E 52 2E 

25 

01 01 01 08 01 01 01 01 

4E 64 4C 92 El 92 DE ED 

26 

01 01 01 04 01 01 01 01 

lA EA 9A 66 A6 DE 92 AE 

27 

01 01 01 02 01 01 01 01 

B3C1CC715CB8 79 D8 

28 

01 01 01 01 80 01 01 01 

19 DO 32 E6 4A BO BD 8B 

29 

01 01 01 01 40 01 01 01 

3C EA A7 A7 DC 87 20 DC 

30 

01 01 01 01 20 01 01 01 

B7 26 5E 7E 44 7A C6 E3 

31 

01 01 01 01 10 01 01 01 

9D B7 3B 3C OD 16 3E 54 

32 

01 01 01 01 08 01 01 01 

81 81 B6 5B ABE4A9 75 
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ROUND 

KEY 

CIPHERTEXT 

33 

01 01 01 01 04 01 01 01 

93 C9 B6 40 42 EA A2 40 

34 

01 01 01 01 02 01 01 01 

55 70 53 08 29 70 55 92 

35 

01 01 01 01 01 80 01 01 

86 38 80 9E 87 87 87 AO 

36 

01 01 01 01 01 40 01 01 

41 B9 A7 9A E7 9A C2 08 

37 

01 01 01 01 01 20 01 01 

7A 9B E4 2E 20 09 A8 92 

38 

01 01 01 01 01 10 01 01 

29 03 8D 56 BA 6D 27 45 

39 

01 01 01 01 01 08 01 01 

54 95 C6ABE1 E5DE51 

40 

01 01 01 01 01 04 01 01 

AE 13 DB D5 61 48 89 33 

41 

01 01 01 01 01 02 01 01 

02 4D IE EA 89 04 E3 89 

42 

01 01 01 01 01 01 80 01 

D1 39 97 12E9 9BE0 2E 

43 

01 01 01 01 01 01 40 01 

14 Cl D7C1 CEEEC7 9E 

44 

01 01 01 01 01 01 20 01 

ID E5 27 9D AE 3B ED 6E 

45 

01 01 01 01 01 01 10 01 

E9 41 A3 3E 85 50 13 03 

46 

01 01 01 01 01 01 08 01 

DA 99 DB BC 9A 03 E3 79 

47 

01 01 01 01 01 01 04 01 

B7 EC 92 E9 ID 8E 92 E9 

48 

01 01 01 01 01 01 02 01 

AE 8E 5C AA 3C AO 4E 85 

49 

01 01 01 01 01 01 01 80 

9C C6 2D E4 3B 6E ED 74 

50 

01 01 01 01 01 01 01 40 

D8 63 DB B5 C5 9A91 AO 
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ROUND 

KEY 

CIPHERTEXT 

51 

01 01 01 01 01 01 01 20 

A1 AB21 90 54 5B 91 D7 

52 

01 01 01 01 01 01 01 10 

08 75 04 IE 64 C5 70 F7 

53 

01 01 01 01 01 01 01 08 

5A 59 45 28 BE BE El CC 

54 

01 01 01 01 01 01 01 04 

ECDB 32 91 DE21 EO CO 

55 

01 01 01 01 01 01 01 02 

86 9E ED 7E 9E 26 5A 09 
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Table 3 


Values To Be Used for the Permutation Operation Known Answer Test 

(NOTE: Plaintext/text = 00 00 00 00 00 00 00 00 for each round and, 
where applicable, IV = 00 00 00 00 00 00 00 00) 


ROUND 

KEY 

CT/RESUUT 

0 

10 46 91 34 89 98 01 31 

88 D5 5E 54 F5 4C 97 B4 

1 

10 07 10 34 89 98 80 20 

OC OC CO OC 83 EA 48 ED 

2 

10 07 10 34 C8 98 01 20 

83 BC 8EE3 A6 57 01 83 

3 

10 46 10 34 89 98 80 20 

DE 72 5D CA D9 4E A2 E9 

4 

10 86 91 15 19 19 01 01 

E6 52 B5 3B 55 OB E8 BO 

5 

10 86 91 15 19 58 01 01 

AE 52 71 20 C4 85 CB BO 

6 

51 07 BO 15 19 58 01 01 

OE 04 CE 39 3D B9 26 D5 

7 

10 07 BO 15 19 19 01 01 

C9 EO OE EC 74 07 90 67 

8 

31 07 91 54 98 08 01 01 

7C ED 82 A5 93 25 2B 4E 

9 

31 07 91 94 98 08 01 01 

CB 49 A2 E9 E9 13 63 E3 

10 

10 07 91 15 B9 08 01 40 

00 B5 88 BE 70 D2 3E 56 

11 

31 07 91 15 98 08 01 40 

40 6A 9A 6A B4 33 99 AE 

12 

10 07 DO 15 89 98 01 01 

6CB7 73 61 1DCA9ADA 
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ROUND 

KEY 

CT/RESULT 

13 

91 07 91 15 89 98 01 01 

67 FD 21 Cl 7D BB 5D 70 

14 

91 07 DO 15 89 19 01 01 

95 92 CB 41 10 43 07 87 

15 

10 07 DO 15 98 98 01 20 

A6 B7 FF 68 A3 18 DD D3 

16 

10 07 94 04 98 19 01 01 

4D 10 21 96 C9 14 CA 16 

17 

01 07 91 04 91 19 04 01 

2D FA 9F 45 73 59 49 65 

18 

01 07 91 04 91 19 01 01 

B4 66 04 81 6C OF 07 74 

19 

01 07 94 04 91 19 04 01 

6 E 7E 62 21 A4 E3 4E 87 

20 

19 07 92 10 98 lAOl 01 

AA 85 E7 46 43 23 31 99 

21 

10 07 91 19 98 19 08 01 

2E 5A 19 DB 4D 19 62 D6 

22 

10 07 91 19 98 1A08 01 

23 A8 66 A8 09 D3 08 94 

23 

10 07 92 10 98 19 01 01 

D8 12 D9 61 EO 17 D3 20 

24 

10 07 91 15 98 19 01 OB 

05 56 05 81 6E 58 60 8E 

25 

10 04 80 15 98 19 01 01 

AB D8 8E 8B IB 77 16 El 

26 

10 04 80 15 98 19 01 02 

53 7A C9 5B E6 9D A1 El 

27 

10 04 80 15 98 19 01 08 

AE DO E6 AE 3C 25 CD D8 

28 

10 02 91 15 98 10 01 04 

B3 E3 5A 5E E5 3E 7B 8D 

29 

10 02 91 15 98 19 01 04 

61 Cl 9C71 92 1A2E E8 
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ROUND 

KEY 

CT/RESULT 

30 

10 02 91 15 98 10 02 01 

E2 F5 72 8F 09 95 01 3C 

31 

10 02 91 16 98 10 01 01 

lA EA C3 9A 61 FO A4 64 
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Table 4 


Values To Be Used for the Substitution Table Known Answer Test 



KEY 

PT/TEXT/IV 
(depending on mode) 

CT/RESULT 

0 

7C A1 10 45 4A lA 6E 57 

01 A1 D6 DO 39 77 67 42 

69 OF 5B OD 9A 26 93 9B 

1 

01 31 D9 61 9DC1 37 6E 

5C D5 4C A8 3D EE 57 DA 

7A38 9D 10 35 4B D2 71 

2 

07 A1 13 3E4A0B 26 86 

02 48 D4 38 06F6 71 72 

86 8E BB51 CA B4 59 9A 

3 

38 49 67 4C 26 02 31 9E 

51 45 4B 58 2D DF44 0A 

71 78 87 6E01 El 9B 2A 

4 

04 B9 15 BA 43 EE B5 B6 

42 ED 44 30 59 57 7F A2 

AF 37 FB 42 IF 8C 40 95 

5 

01 13B9 70FD34E2CE 

05 9B 5E 08 51 CF 14 3A 

86 A5 60 El 0EC6 D8 5B 

6 

01 70 El 75 46 8E B5 E6 

07 56 D8 EO 77 47 61 D2 

OC D3 DA 02 00 21 DC 09 

7 

43 29 7E AD 38 E3 73 EE 

76 25 14 B8 29 BE 48 6A 

EA 67 6B 2C B7 DB 2B 7A 

8 

07 A7 13 70 45 DA 2A 16 

3B DD 11 90 49 37 28 02 

DF D6 4A81 5C AF lAOF 

9 

04 68 91 04 C2 ED 3B 2E 

26 95 5F 68 35 AF 60 9A 

5C51 3C 9C 48 86 CO 88 

10 

37 DO 6B B5 16 CB 75 46 

16 4D 5E 40 4F 27 52 32 

OA 2A EE AE 3F F4 AB 77 

11 

IE 08 26 OD lA C2 46 5E 

6 B 05 6E 18 75 9F 5C CA 

EE IB FO 3E 5D FA 57 5A 

12 

58 40 23 64 1ABA61 76 

00 4B D6 EE 09 17 60 62 

88 BE OD B6 D7 OD EE 56 

13 

02 58 16 16 46 29 BO 07 

48 OD 39 00 6E E7 62 F2 

A1F9 91 55 41 02 OB 56 

14 

49 79 3E BC 79 B3 25 8E 

43 75 40 C8 69 8F 3C FA 

6 FBF 1C AF CFFD05 56 

15 

4EB0 5E15 15 AB 73 A7 

07 2D 43 AO 77 07 52 92 

2F 22 E4 9B AB 7C A1 AC 

16 

49 E9 5D 6D 4C A2 29 BE 

02 EE 55 77 81 17 El 2A 

5A 6B 61 2C C2 6C CE 4A 

17 

01 83 10 DC 40 9B 26 D6 

1D9D 5C 50 18F7 28 C2 

5F4C 03 8ED1 2B 2E41 

18 

1C 58 7E 1C 13 92 4FEE 

30 55 32 28 6D 6F 29 5A 

63 FA CO DO 34 D9 F7 93 
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Table 5 


Resulting Ciphertext from the Variable Plaintext Known Answer Test for Skipjack 
(NOTE: KEY = 00 00 00 00 00 00 00 00 00 00) 


ROUND 

PLAINTEXT or IV (depending 
on mode) 

CIPHERTEXT 




00 

80 00 00 00 00 00 00 00 

9A 90 BC OB 75 C7 37 03 

01 

40 00 00 00 00 00 00 00 

CC 68 43 59 8C 73 2B BE 

02 

20 00 00 00 00 00 00 00 

13 72 95 35 09 B3 Cl 4C 

03 

10 00 00 00 00 00 00 00 

70 AAAA84 18E4 89 30 

04 

08 00 00 00 00 00 00 00 

E4 BO B4 A1 39 E8 54 6E 

05 

04 00 00 00 00 00 00 00 

70 18 E7 13 66 14 6E AE 

06 

02 00 00 00 00 00 00 00 

B3 8F 3D 7E 4E 2D 25 3D 

07 

01 00 00 00 00 00 00 00 

D6 4B A2 06 51 13 D9 IE 

08 

00 80 00 00 00 00 00 00 

F9 5B 92 2F 14 27 A9 F2 

09 

00 40 00 00 00 00 00 00 

6 B 64 2F DE 40 85 85 86 

10 

00 20 00 00 00 00 00 00 

6 C F5 2D 5E 61 69 52 17 

11 

00 10 00 00 00 00 00 00 

BC OF 6B CA 62 El 39 A6 

12 

00 08 00 00 00 00 00 00 

6 A D5 03 DC 2A BO BE E2 

13 

00 04 00 00 00 00 00 00 

AF AD D7 CA B6 72 35 16 

14 

00 02 00 00 00 00 00 00 

00 42 IB 89 5A F5 CO OA 

15 

00 01 00 00 00 00 00 00 

CA DO 45 6C F8 6C D5 98 

16 

00 00 80 00 00 00 00 00 

16 F4 1C 8F 8A 6A 5B 79 

17 

00 00 40 00 00 00 00 00 

4C E7 71C7 51BA 27 60 

18 

00 00 20 00 00 00 00 00 

72 C9 02 E5 8C E5 5B 87 

19 

00 00 10 00 00 00 00 00 

6 D 37 8C 66 64 DO 01 10 

20 

00 00 08 00 00 00 00 00 

AC 27 B8 5B OA 75 E8 BA 

21 

00 00 04 00 00 00 00 00 

54 DF 3A 75 5B 00 63 D2 

22 

00 00 02 00 00 00 00 00 

31 4F4D 28 6DB4 90 58 

23 

00 00 01 00 00 00 00 00 

88 AE 06 66 B2 AO 78 46 
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ROUND 

PLAINTEXT or IV (depending 
on mode) 

CIPHERTEXT 

24 

00 00 00 80 00 00 00 00 

D8 60 A8 D9 AO 2C BC E8 

25 

00 00 00 40 00 00 00 00 

37 CE 5E EA 53 13 53 5D 

26 

00 00 00 20 00 00 00 00 

73 3AF9 2D A1 Cl 80 26 

27 

00 00 00 10 00 00 00 00 

34 1C 23 5E 6E 32 98 ID 

28 

00 00 00 08 00 00 00 00 

C6 A6 56 14 47 D9 EO 96 

29 

00 00 00 04 00 00 00 00 

C5 50 66 A8 D8 39 E5 FA 

30 

00 00 00 02 00 00 00 00 

65 86 4B48 79 11 A1 OC 

31 

00 00 00 01 00 00 00 00 

87 29 07 E2 D3 36 33 2A 

32 

00 00 00 00 80 00 00 00 

AF 03 76 88 E7 A5 24 9C 

33 

00 00 00 00 40 00 00 00 

Cl EC D1 B4 DC C2 AC BB 

34 

00 00 00 00 20 00 00 00 

40 48 48 80 2D 69 3D DA 

35 

00 00 00 00 10 00 00 00 

B2 DC CE E3 3B 15 6D B6 

36 

00 00 00 00 08 00 00 00 

E6 20 F4 2A 7F A9 01 OB 

37 

00 00 00 00 04 00 00 00 

7C FO 67 F3 BD 3E C3 53 

38 

00 00 00 00 02 00 00 00 

06 37 78 IF 1A34 72 81 

39 

00 00 00 00 01 00 00 00 

47 41 El 46 4B 71 70 8E 

40 

00 00 00 00 00 80 00 00 

ED AD 33 F4 56 F5 14 DF 

41 

00 00 00 00 00 40 00 00 

ED 81 27 48 B7 F5 23 E9 

42 

00 00 00 00 00 20 00 00 

83 8C 9C C3 83 D4 62 97 

43 

00 00 00 00 00 10 00 00 

FB 2B CO EC C9 2F 9B 24 

44 

00 00 00 00 00 08 00 00 

E5 9A A1 12 2A 65 44 32 

45 

00 00 00 00 00 04 00 00 

D4 C8 EE 7E 06 43 12 53 

46 

00 00 00 00 00 02 00 00 

32 ED 63 28 14 C2 A8 56 

47 

00 00 00 00 00 01 00 00 

5D C2 9F 7D E9 6E E5 2C 

48 

00 00 00 00 00 00 80 00 

68 AO 1C 7E 8E AD D5 61 

49 

00 00 00 00 00 00 40 00 

B2 70 68 F2 D6 B3 37 E2 

50 

00 00 00 00 00 00 20 00 

lA F5 IE 9C 29 BE DC 7B 

51 

00 00 00 00 00 00 10 00 

92 ID BD 9B 1C 6B EA EB 
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ROUND 

PLAINTEXT or IV (depending 
on mode) 

CIPHERTEXT 

52 

00 00 00 00 00 00 08 00 

5B 6A 60 22 35 94 35 D2 

53 

00 00 00 00 00 00 04 00 

D7 74 C6 23 74 B2 3B 09 

54 

00 00 00 00 00 00 02 00 

FD 9F 05 27 59 4C E3 7B 

55 

00 00 00 00 00 00 01 00 

67 86 01 C8 B3 64 A7 94 

56 

00 00 00 00 00 00 00 80 

D5 18 22 8D 5B OB E3 D7 

57 

00 00 00 00 00 00 00 40 

A4 5F EE 6B DD IE 73 4A 

58 

00 00 00 00 00 00 00 20 

DIBA 95 51 DE 7C D5 68 

59 

00 00 00 00 00 00 00 10 

AE A3 3D 09 DC 9D 13 10 

60 

00 00 00 00 00 00 00 08 

96 B4 91 Cl FE44 3E 9A 

61 

00 00 00 00 00 00 00 04 

DO EO 14 CE EE 94 58 9D 

62 

00 00 00 00 00 00 00 02 

OB 9E 44 B5 37 AE 28 79 

63 

00 00 00 00 00 00 00 01 

22 E4 28 E3 EC 49 IE 60 
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Table 6 


Resulting Ciphertext from the Variable Key Known Answer Test for Skipjack 

((NOTE: Plaintext/text = 00 00 00 00 00 00 00 00 and, where applicable, IV = 00 00 00 00 00 00 00 00) 
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ROUND 

KEY 

CIPHERTEXT 

24 

00 00 00 80 00 00 00 00 00 00 

36 00 EB 92 83 6C AO 26 

25 

00 00 00 40 00 00 00 00 00 00 

75 A4 35 AD 22 EC E7 93 

26 

00 00 00 20 00 00 00 00 00 00 

71 90 AA99 13 Cl E9 EC 

27 

00 00 00 10 00 00 00 00 00 00 

AB A7 18 B1 85 A1 ID DO 

28 

00 00 00 08 00 00 00 00 00 00 

40 E6 7A BE CC 3B 87 3C 

29 

00 00 00 04 00 00 00 00 00 00 

38 AO A5 8E BO 97 28 E2 

30 

00 00 00 02 00 00 00 00 00 00 

CA 70 2E 49 BE 6E A6 45 

31 

00 00 00 01 00 00 00 00 00 00 

45 5D 93 EO 39 EA 08 60 

32 

00 00 00 00 80 00 00 00 00 00 

53 47 64 3E E8 03 88 3E 

33 

00 00 00 00 40 00 00 00 00 00 

E4 OE El DC BA 2B Cl E5 

34 

00 00 00 00 20 00 00 00 00 00 

57 4A 48 48 36 9D 41 2E 

35 

00 00 00 00 10 00 00 00 00 00 

B2 BE 93 6E 36 67 06 36 

36 

00 00 00 00 08 00 00 00 00 00 

5C 88 51 7D 27 42 E6 19 

37 

00 00 00 00 04 00 00 00 00 00 

99 3C 89 DO 9A 2E E5 56 

38 

00 00 00 00 02 00 00 00 00 00 

lA 3E 72 DA 69 4C 9E C7 

39 

00 00 00 00 01 00 00 00 00 00 

96 59 D5 22 8E4CB1 51 

40 

00 00 00 00 00 80 00 00 00 00 

7C 13E4 9E75 OE 5C 30 

41 

00 00 00 00 00 40 00 00 00 00 

35 00 BD 40 7B CD 01 E6 

42 

00 00 00 00 00 20 00 00 00 00 

85 C5 8E 3C 49 44 20 28 

43 

00 00 00 00 00 10 00 00 00 00 

84 13 84 OA 2D 48 AB EA 

44 

00 00 00 00 00 08 00 00 00 00 

83 28 50 E6 E5 C4 AE 5A 

45 

00 00 00 00 00 04 00 00 00 00 

29 E9 7E OD 9E OE DC 5E 

46 

00 00 00 00 00 02 00 00 00 00 

2C 45 23 04 37 EE 2E 04 

47 

00 00 00 00 00 01 00 00 00 00 

10 C4 09 EB 87 2A 98 4E 

48 

00 00 00 00 00 00 80 00 00 00 

14 69 3B 30 C3 AE 74 70 

49 

00 00 00 00 00 00 40 00 00 00 

91 3A 90 50 D5 85 BA B9 

50 

00 00 00 00 00 00 20 00 00 00 

5B EB OE 83 AB OC 6E EA 

51 

00 00 00 00 00 00 10 00 00 00 

6C OC A7 28 4D 83 6A AE 
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ROUND 

KEY 

CIPHERTEXT 

52 

00 00 00 00 00 00 08 00 00 00 

AC 57 27 D6 12 El 85 E8 

53 

00 00 00 00 00 00 04 00 00 00 

38 D7 D5 96 A3 D2 9D 90 

54 

00 00 00 00 00 00 02 00 00 00 

78 BA DA D3 BC 43 6C A2 

55 

00 00 00 00 00 00 01 00 00 00 

E4 05 77 87 41 BO 4B AO 

56 

00 00 00 00 00 00 00 80 00 00 

72 EE E4 3D EA 02 AE A5 

57 

00 00 00 00 00 00 00 40 00 00 

52 E9 31 DE 24 8C E4 C7 

58 

00 00 00 00 00 00 00 20 00 00 

4BB165FDB3 BE E6 5C 

59 

00 00 00 00 00 00 00 10 00 00 

7C EA EA 68 61 D7 B4 7D 

60 

00 00 00 00 00 00 00 08 00 00 

48D1 75 52 31 E8 7A 2A 

61 

00 00 00 00 00 00 00 04 00 00 

41 32 07 DA 1C 9B 6A B5 

62 

00 00 00 00 00 00 00 02 00 00 

63 E8 18E9 38 2A 27 78 

63 

00 00 00 00 00 00 00 01 00 00 

ED AE 2B 85 EC 30 EB 09 

64 

00 00 00 00 00 00 00 00 80 00 

11 EC 59 93 82 07 63 E7 

65 

00 00 00 00 00 00 00 00 40 00 

E5 39 C3 96 99 15 09 2E 

66 

00 00 00 00 00 00 00 00 20 00 

50 6E 6A IE 83 4A D8 E7 

67 

00 00 00 00 00 00 00 00 10 00 

8B 15 BA 30 47 EA 31 95 

68 

00 00 00 00 00 00 00 00 08 00 

13 OB El 5C 39 3E 4B 7A 

69 

00 00 00 00 00 00 00 00 04 00 

88 95 EC 31 04 CA 10 41 

70 

00 00 00 00 00 00 00 00 02 00 

E4 40 AC DE 4B 64 C9 C9 

71 

00 00 00 00 00 00 00 00 01 00 

C2 32 80 EB EO 93 EO 02 

72 

00 00 00 00 00 00 00 00 00 80 

52 64 A6 57 41 EE 78 E3 

73 

00 00 00 00 00 00 00 00 00 40 

80 89 2E 76 85 47 CE 61 

74 

00 00 00 00 00 00 00 00 00 20 

09 11 41 2D 72 09 34 75 

75 

00 00 00 00 00 00 00 00 00 10 

9E 21 AA 76 47 83 E6 49 

76 

00 00 00 00 00 00 00 00 00 08 

4C A9 EA BE AD 2C 02 C6 

77 

00 00 00 00 00 00 00 00 00 04 

59 CE 10 97 3A 7B IE D5 

78 

00 00 00 00 00 00 00 00 00 02 

68 3B 29 34 EO CC BE AA 

79 

00 00 00 00 00 00 00 00 00 01 

74 DO E7 C2 E3 B4 50 A8 


142 



























































































REFERENCES 


1. Data Encryption Standard (DES), EIPS PUB 46-2, December 30, 1993. 

2. Eserowed Eneryption Standard (EES), EIPS PUB 185, Eebruary 9, 1994. 

3. Validating the Correetness of Hardware Implementations of the NBS Data Encryption 
Standard, NBS Special Publication 500-20, November, 1977. 

4. DES Modes of Operation, EIPS PUB 81, Deeember 2, 1980. 

5. Seeurity Requirements for Cryptographie Modules, PIPS PUB 140-1, January 11, 1994. 

6. Guidelines for Implementing and Using the NBS Data Eneryption Standard, PIPS PUB 
74, April 1, 1981. 


143 



